Analysis
-
max time kernel
38s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:01
Static task
static1
Behavioral task
behavioral1
Sample
14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe
Resource
win10v2004-20241007-en
General
-
Target
14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe
-
Size
89KB
-
MD5
d152b317abc31abcef04026cf9f4e5c0
-
SHA1
602ac9d80f3df0652bcc484d04d57628cf9135fc
-
SHA256
14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73
-
SHA512
3ab152fb8d9c5c433a2079ad52ab9d2e4ba89e45d92743bfd336e6865bec52b32ca695059ed6e76cf0324a1deb553879472262d22ce0158052cccf27fe0ba35c
-
SSDEEP
1536:LNYrkB3RzhCXmP4gld/ItNVGcjKXjUAtkXq6C2dHPL+cnlExkg8F:LIW3lhC2AS9ItNVGlXjUACqidj+cnla4
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aialjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankabh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjpmkdpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmjjmbgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbjhlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjbienl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aknnil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqdjceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbppdfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgogla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjiik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qckalamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egndgdai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peolmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckbkfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mflgkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lglnajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pppnia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lphlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pobgjhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imhanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foblaefj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnbklji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihooog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefdgeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkhdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinahhff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbmpnjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfijfdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaeiqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoagcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magfjebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoihaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mibdcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjanfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknakhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccloea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ancdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnipgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfbmlckg.exe -
Executes dropped EXE 64 IoCs
pid Process 2880 Hbknmicj.exe 2940 Hmpbja32.exe 2952 Hlcbfnjk.exe 2912 Hpoofm32.exe 2752 Ifhgcgjq.exe 2816 Ihjcko32.exe 2916 Iockhigl.exe 1428 Ihlpqonl.exe 1416 Ikjlmjmp.exe 3020 Ieppjclf.exe 2756 Ihnmfoli.exe 1264 Igcjgk32.exe 236 Ikoehj32.exe 1504 Iplnpq32.exe 2052 Ihcfan32.exe 2096 Jpnkep32.exe 1612 Jghcbjll.exe 716 Jjgonf32.exe 1912 Jlekja32.exe 1808 Jgkphj32.exe 1460 Jjilde32.exe 1424 Jofdll32.exe 964 Jfpmifoa.exe 2404 Jljeeqfn.exe 2400 Johaalea.exe 2848 Jcdmbk32.exe 2828 Jafmngde.exe 2800 Kdgfpbaf.exe 2740 Khcbpa32.exe 2736 Kfgcieii.exe 1852 Kheofahm.exe 1772 Knbgnhfd.exe 2676 Kqqdjceh.exe 2352 Knddcg32.exe 1656 Kbppdfmk.exe 2148 Kkhdml32.exe 2340 Kngaig32.exe 676 Kdqifajl.exe 1248 Kccian32.exe 2248 Lqgjkbop.exe 2316 Lcffgnnc.exe 1368 Lmnkpc32.exe 904 Lqjfpbmm.exe 2620 Ljbkig32.exe 1816 Liekddkh.exe 2504 Lkcgapjl.exe 1632 Lbmpnjai.exe 1592 Lelljepm.exe 1944 Lmcdkbao.exe 264 Lkfdfo32.exe 2232 Lndqbk32.exe 2804 Lfkhch32.exe 2704 Lijepc32.exe 2264 Lkhalo32.exe 1968 Lnfmhj32.exe 2120 Lbbiii32.exe 3040 Leqeed32.exe 1048 Milaecdp.exe 2388 Mljnaocd.exe 2480 Mnijnjbh.exe 2208 Mbdfni32.exe 944 Magfjebk.exe 1088 Mcfbfaao.exe 1528 Mganfp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2776 14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe 2776 14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe 2880 Hbknmicj.exe 2880 Hbknmicj.exe 2940 Hmpbja32.exe 2940 Hmpbja32.exe 2952 Hlcbfnjk.exe 2952 Hlcbfnjk.exe 2912 Hpoofm32.exe 2912 Hpoofm32.exe 2752 Ifhgcgjq.exe 2752 Ifhgcgjq.exe 2816 Ihjcko32.exe 2816 Ihjcko32.exe 2916 Iockhigl.exe 2916 Iockhigl.exe 1428 Ihlpqonl.exe 1428 Ihlpqonl.exe 1416 Ikjlmjmp.exe 1416 Ikjlmjmp.exe 3020 Ieppjclf.exe 3020 Ieppjclf.exe 2756 Ihnmfoli.exe 2756 Ihnmfoli.exe 1264 Igcjgk32.exe 1264 Igcjgk32.exe 236 Ikoehj32.exe 236 Ikoehj32.exe 1504 Iplnpq32.exe 1504 Iplnpq32.exe 2052 Ihcfan32.exe 2052 Ihcfan32.exe 2096 Jpnkep32.exe 2096 Jpnkep32.exe 1612 Jghcbjll.exe 1612 Jghcbjll.exe 716 Jjgonf32.exe 716 Jjgonf32.exe 1912 Jlekja32.exe 1912 Jlekja32.exe 1808 Jgkphj32.exe 1808 Jgkphj32.exe 1460 Jjilde32.exe 1460 Jjilde32.exe 1424 Jofdll32.exe 1424 Jofdll32.exe 964 Jfpmifoa.exe 964 Jfpmifoa.exe 2404 Jljeeqfn.exe 2404 Jljeeqfn.exe 2400 Johaalea.exe 2400 Johaalea.exe 2848 Jcdmbk32.exe 2848 Jcdmbk32.exe 2828 Jafmngde.exe 2828 Jafmngde.exe 2800 Kdgfpbaf.exe 2800 Kdgfpbaf.exe 2740 Khcbpa32.exe 2740 Khcbpa32.exe 2736 Kfgcieii.exe 2736 Kfgcieii.exe 1852 Kheofahm.exe 1852 Kheofahm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jokjjgme.dll Bjanfl32.exe File created C:\Windows\SysWOW64\Fghppa32.exe Fdjddf32.exe File created C:\Windows\SysWOW64\Phmiimlf.exe Peolmb32.exe File created C:\Windows\SysWOW64\Ihaifbnk.dll Gggclfkj.exe File created C:\Windows\SysWOW64\Mjodhe32.exe Mbhlgg32.exe File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Process not Found File created C:\Windows\SysWOW64\Feccqime.exe Process not Found File created C:\Windows\SysWOW64\Imgmggec.dll Jafmngde.exe File opened for modification C:\Windows\SysWOW64\Mqfooonp.exe Mmkcoq32.exe File created C:\Windows\SysWOW64\Midqiaih.exe Mbjhlg32.exe File created C:\Windows\SysWOW64\Lgnefm32.dll Pelpgb32.exe File opened for modification C:\Windows\SysWOW64\Dglkba32.exe Ddmofeam.exe File opened for modification C:\Windows\SysWOW64\Mgaqohql.exe Mhopcl32.exe File created C:\Windows\SysWOW64\Omldapkm.dll Popkeh32.exe File opened for modification C:\Windows\SysWOW64\Dlfgehqk.exe Dihkimag.exe File opened for modification C:\Windows\SysWOW64\Nidmhd32.exe Nfeqli32.exe File created C:\Windows\SysWOW64\Jilkbn32.exe Jepoao32.exe File created C:\Windows\SysWOW64\Denknngk.exe Dglkba32.exe File created C:\Windows\SysWOW64\Oemjbe32.exe Obonfj32.exe File created C:\Windows\SysWOW64\Edidcb32.exe Eefdgeig.exe File created C:\Windows\SysWOW64\Glgdlgmm.dll Gcfgfack.exe File created C:\Windows\SysWOW64\Joeido32.dll Nbbhpegc.exe File opened for modification C:\Windows\SysWOW64\Oelcho32.exe Omekgakg.exe File opened for modification C:\Windows\SysWOW64\Hpbhphie.exe Haohel32.exe File opened for modification C:\Windows\SysWOW64\Jdbfjm32.exe Jacjna32.exe File created C:\Windows\SysWOW64\Mnnajk32.dll Jpigonhd.exe File opened for modification C:\Windows\SysWOW64\Hibebeqb.exe Process not Found File created C:\Windows\SysWOW64\Oikcicfl.exe Ofmgmhgh.exe File created C:\Windows\SysWOW64\Nnkekfkd.exe Nlmiojla.exe File created C:\Windows\SysWOW64\Dkpnji32.dll Cgmndokg.exe File created C:\Windows\SysWOW64\Qhngohip.dll Foblaefj.exe File created C:\Windows\SysWOW64\Fmmlah32.dll Ahioobed.exe File created C:\Windows\SysWOW64\Aiedgbnd.dll Dkhpfo32.exe File opened for modification C:\Windows\SysWOW64\Opmhqc32.exe Olalpdbc.exe File opened for modification C:\Windows\SysWOW64\Adeiobgc.exe Amnanefa.exe File created C:\Windows\SysWOW64\Jgkphj32.exe Jlekja32.exe File created C:\Windows\SysWOW64\Hiohip32.dll Lqjfpbmm.exe File created C:\Windows\SysWOW64\Dikpihnb.dll Ibejfffo.exe File created C:\Windows\SysWOW64\Jnllpnpo.dll Process not Found File created C:\Windows\SysWOW64\Cilbhdoi.dll Kccbgh32.exe File created C:\Windows\SysWOW64\Kjgidpgf.dll Bbocak32.exe File created C:\Windows\SysWOW64\Emailhfb.exe Process not Found File created C:\Windows\SysWOW64\Edohki32.exe Eaalom32.exe File created C:\Windows\SysWOW64\Hhdmgkhc.dll Kjfdcc32.exe File created C:\Windows\SysWOW64\Pinnoafp.dll Koejqi32.exe File created C:\Windows\SysWOW64\Fopjnd32.dll Cakfcfoc.exe File opened for modification C:\Windows\SysWOW64\Ieligmho.exe Ibmmkaik.exe File created C:\Windows\SysWOW64\Jlmddi32.exe Jinghn32.exe File created C:\Windows\SysWOW64\Jffakm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jocceo32.exe Process not Found File created C:\Windows\SysWOW64\Hehconob.exe Hamgno32.exe File created C:\Windows\SysWOW64\Ipdaek32.exe Iaaaiobc.exe File created C:\Windows\SysWOW64\Imjhfl32.dll Pihbbgjj.exe File created C:\Windows\SysWOW64\Lbdldg32.dll Jhihpl32.exe File opened for modification C:\Windows\SysWOW64\Mjmgbe32.exe Mfakbf32.exe File opened for modification C:\Windows\SysWOW64\Omlahqeo.exe Ojnelefl.exe File created C:\Windows\SysWOW64\Lkhalo32.exe Lijepc32.exe File created C:\Windows\SysWOW64\Encchoml.exe Ekdglcmh.exe File opened for modification C:\Windows\SysWOW64\Ihgpkinf.exe Hehconob.exe File created C:\Windows\SysWOW64\Jjhgdqef.exe Process not Found File created C:\Windows\SysWOW64\Dggbgadf.exe Ddhekfeb.exe File created C:\Windows\SysWOW64\Qaaghk32.dll Fnjiin32.exe File created C:\Windows\SysWOW64\Ilmgef32.exe Idepdhia.exe File opened for modification C:\Windows\SysWOW64\Ciknhb32.exe Ceoagcld.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1256 2740 Process not Found 1285 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkljfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihkimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdjdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghfacem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omoehf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlife32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifdmbib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaliaphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhljpmlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceioieei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdcngbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkckdhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcghajkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kommediq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdbpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophoecoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmjgkpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkfmioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haggijgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjhlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajennij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqheei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haohel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccceeqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaaalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmjanpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phoeomjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebghkjjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbgnhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjjmeie.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjalodg.dll" Papkcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmcde32.dll" Bqngjcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efaglp32.dll" Odaqikaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhfljm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpofcajk.dll" Kcqfahom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afpchl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhnbklji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkicala.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danohi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahdkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqngjcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppikp32.dll" Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjfiqjch.dll" Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omeini32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abiqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajdego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppdnf32.dll" Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpcfih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfieo32.dll" Kpkcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljlgo32.dll" Ccolja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejpdk32.dll" Kdilkllh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iokdaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaiehfo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcffgnnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjan32.dll" Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpnci32.dll" Ncpgeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaeiqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bacgohjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkemli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaafge32.dll" Mcghajkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ediaanpp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbekip32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cogdhpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceiinfd.dll" Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimhhpgd.dll" Ckbccnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcknjidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfcnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehlbbnf.dll" Edmkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koebjmbk.dll" Faikbkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaihlf32.dll" Gmgenh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnijnjbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpkqfdmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfjga32.dll" Hajkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpalpp32.dll" Oejgbonl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2880 2776 14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe 30 PID 2776 wrote to memory of 2880 2776 14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe 30 PID 2776 wrote to memory of 2880 2776 14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe 30 PID 2776 wrote to memory of 2880 2776 14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe 30 PID 2880 wrote to memory of 2940 2880 Hbknmicj.exe 31 PID 2880 wrote to memory of 2940 2880 Hbknmicj.exe 31 PID 2880 wrote to memory of 2940 2880 Hbknmicj.exe 31 PID 2880 wrote to memory of 2940 2880 Hbknmicj.exe 31 PID 2940 wrote to memory of 2952 2940 Hmpbja32.exe 32 PID 2940 wrote to memory of 2952 2940 Hmpbja32.exe 32 PID 2940 wrote to memory of 2952 2940 Hmpbja32.exe 32 PID 2940 wrote to memory of 2952 2940 Hmpbja32.exe 32 PID 2952 wrote to memory of 2912 2952 Hlcbfnjk.exe 33 PID 2952 wrote to memory of 2912 2952 Hlcbfnjk.exe 33 PID 2952 wrote to memory of 2912 2952 Hlcbfnjk.exe 33 PID 2952 wrote to memory of 2912 2952 Hlcbfnjk.exe 33 PID 2912 wrote to memory of 2752 2912 Hpoofm32.exe 34 PID 2912 wrote to memory of 2752 2912 Hpoofm32.exe 34 PID 2912 wrote to memory of 2752 2912 Hpoofm32.exe 34 PID 2912 wrote to memory of 2752 2912 Hpoofm32.exe 34 PID 2752 wrote to memory of 2816 2752 Ifhgcgjq.exe 35 PID 2752 wrote to memory of 2816 2752 Ifhgcgjq.exe 35 PID 2752 wrote to memory of 2816 2752 Ifhgcgjq.exe 35 PID 2752 wrote to memory of 2816 2752 Ifhgcgjq.exe 35 PID 2816 wrote to memory of 2916 2816 Ihjcko32.exe 36 PID 2816 wrote to memory of 2916 2816 Ihjcko32.exe 36 PID 2816 wrote to memory of 2916 2816 Ihjcko32.exe 36 PID 2816 wrote to memory of 2916 2816 Ihjcko32.exe 36 PID 2916 wrote to memory of 1428 2916 Iockhigl.exe 37 PID 2916 wrote to memory of 1428 2916 Iockhigl.exe 37 PID 2916 wrote to memory of 1428 2916 Iockhigl.exe 37 PID 2916 wrote to memory of 1428 2916 Iockhigl.exe 37 PID 1428 wrote to memory of 1416 1428 Ihlpqonl.exe 38 PID 1428 wrote to memory of 1416 1428 Ihlpqonl.exe 38 PID 1428 wrote to memory of 1416 1428 Ihlpqonl.exe 38 PID 1428 wrote to memory of 1416 1428 Ihlpqonl.exe 38 PID 1416 wrote to memory of 3020 1416 Ikjlmjmp.exe 39 PID 1416 wrote to memory of 3020 1416 Ikjlmjmp.exe 39 PID 1416 wrote to memory of 3020 1416 Ikjlmjmp.exe 39 PID 1416 wrote to memory of 3020 1416 Ikjlmjmp.exe 39 PID 3020 wrote to memory of 2756 3020 Ieppjclf.exe 40 PID 3020 wrote to memory of 2756 3020 Ieppjclf.exe 40 PID 3020 wrote to memory of 2756 3020 Ieppjclf.exe 40 PID 3020 wrote to memory of 2756 3020 Ieppjclf.exe 40 PID 2756 wrote to memory of 1264 2756 Ihnmfoli.exe 41 PID 2756 wrote to memory of 1264 2756 Ihnmfoli.exe 41 PID 2756 wrote to memory of 1264 2756 Ihnmfoli.exe 41 PID 2756 wrote to memory of 1264 2756 Ihnmfoli.exe 41 PID 1264 wrote to memory of 236 1264 Igcjgk32.exe 42 PID 1264 wrote to memory of 236 1264 Igcjgk32.exe 42 PID 1264 wrote to memory of 236 1264 Igcjgk32.exe 42 PID 1264 wrote to memory of 236 1264 Igcjgk32.exe 42 PID 236 wrote to memory of 1504 236 Ikoehj32.exe 43 PID 236 wrote to memory of 1504 236 Ikoehj32.exe 43 PID 236 wrote to memory of 1504 236 Ikoehj32.exe 43 PID 236 wrote to memory of 1504 236 Ikoehj32.exe 43 PID 1504 wrote to memory of 2052 1504 Iplnpq32.exe 44 PID 1504 wrote to memory of 2052 1504 Iplnpq32.exe 44 PID 1504 wrote to memory of 2052 1504 Iplnpq32.exe 44 PID 1504 wrote to memory of 2052 1504 Iplnpq32.exe 44 PID 2052 wrote to memory of 2096 2052 Ihcfan32.exe 45 PID 2052 wrote to memory of 2096 2052 Ihcfan32.exe 45 PID 2052 wrote to memory of 2096 2052 Ihcfan32.exe 45 PID 2052 wrote to memory of 2096 2052 Ihcfan32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe"C:\Users\Admin\AppData\Local\Temp\14aa6970807be59fe656fe16de9e2116595b984b7b7a61e8e99ca530dc549b73N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Igcjgk32.exeC:\Windows\system32\Igcjgk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe35⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe38⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe39⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe40⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe41⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe43⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe45⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe46⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe47⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe49⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe50⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe51⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe52⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe55⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe56⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe57⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe58⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe59⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe60⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Mbdfni32.exeC:\Windows\system32\Mbdfni32.exe62⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe64⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe65⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe66⤵PID:1076
-
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe67⤵PID:2336
-
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe68⤵PID:340
-
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe69⤵PID:2276
-
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe71⤵PID:2808
-
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe72⤵PID:2768
-
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe73⤵PID:2492
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe74⤵PID:1172
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe75⤵PID:3016
-
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe76⤵PID:1132
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe77⤵PID:1100
-
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe78⤵PID:1940
-
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe79⤵PID:2252
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe80⤵PID:896
-
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe81⤵PID:1676
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe82⤵PID:2652
-
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe83⤵PID:1604
-
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe84⤵PID:1516
-
C:\Windows\SysWOW64\Nepach32.exeC:\Windows\system32\Nepach32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe86⤵PID:2860
-
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe87⤵PID:2896
-
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe88⤵PID:2296
-
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe89⤵PID:2136
-
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe90⤵PID:1456
-
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe91⤵PID:1620
-
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe92⤵PID:2024
-
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe93⤵PID:1932
-
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe94⤵PID:2668
-
C:\Windows\SysWOW64\Nkbcgnie.exeC:\Windows\system32\Nkbcgnie.exe95⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe96⤵PID:2156
-
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe97⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe98⤵PID:2712
-
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe99⤵PID:2692
-
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe100⤵PID:2448
-
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe102⤵PID:2452
-
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe103⤵PID:2100
-
C:\Windows\SysWOW64\Omeini32.exeC:\Windows\system32\Omeini32.exe104⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe105⤵PID:928
-
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe106⤵PID:1928
-
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe107⤵PID:2672
-
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe108⤵PID:2792
-
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe109⤵PID:2836
-
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe110⤵PID:1572
-
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe111⤵PID:2728
-
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe112⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe113⤵PID:2748
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe114⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe115⤵PID:1616
-
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe116⤵PID:2140
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe117⤵PID:3060
-
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe118⤵PID:1812
-
C:\Windows\SysWOW64\Oomlfpdi.exeC:\Windows\system32\Oomlfpdi.exe119⤵PID:2932
-
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe120⤵PID:2980
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe121⤵PID:872
-
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe122⤵
- Drops file in System32 directory
PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-