Analysis
-
max time kernel
25s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 02:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe
-
Size
464KB
-
MD5
1ba415d3e3a41a4b84d0c2a5532b8666
-
SHA1
34a2436fa9591531697d5c9ae79f4d79c4a797dc
-
SHA256
9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3
-
SHA512
7931ced812f0ee058ddd833b7fc5fbc00859e66dbb1bf90acc997757e629ac8e724e6c852c9c424f4f9d595e8131153d53914ec33313914e44f6fe250368641c
-
SSDEEP
6144:hIcv9pNjtEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPCN:6A9BEVI2C4EVu2JEVcBEVI2CN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkicbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmhahkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppfafcpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oimmjffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hieiqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imlhebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdchf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdekgjno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoblnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bacihmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhdegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknpadcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpflkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmmpcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odkgec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njhfcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jimdcqom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjoqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhoklnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalipcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhicbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imodkadq.exe -
Executes dropped EXE 64 IoCs
pid Process 2196 Jlphbbbg.exe 2540 Khghgchk.exe 2720 Kncaojfb.exe 2724 Lonpma32.exe 2876 Loqmba32.exe 2664 Lohccp32.exe 2104 Mqklqhpg.exe 1752 Mqpflg32.exe 2516 Mbcoio32.exe 1708 Nbjeinje.exe 1196 Neiaeiii.exe 316 Njhfcp32.exe 2856 Nenkqi32.exe 2940 Padhdm32.exe 2596 Phnpagdp.exe 1820 Pafdjmkq.exe 2040 Pgcmbcih.exe 2588 Paiaplin.exe 1384 Pkaehb32.exe 1076 Pdjjag32.exe 2280 Pnbojmmp.exe 1192 Qgjccb32.exe 2116 Qpbglhjq.exe 2244 Qeppdo32.exe 372 Aohdmdoh.exe 2832 Ahpifj32.exe 2828 Acfmcc32.exe 2956 Akabgebj.exe 2900 Adifpk32.exe 2644 Anbkipok.exe 3044 Akfkbd32.exe 3036 Bhjlli32.exe 2120 Bnfddp32.exe 2404 Bniajoic.exe 1740 Bfdenafn.exe 1376 Boljgg32.exe 1368 Bieopm32.exe 2712 Bfioia32.exe 684 Bkegah32.exe 1776 Ciihklpj.exe 948 Cnfqccna.exe 2964 Cgoelh32.exe 1724 Cbdiia32.exe 1596 Cjonncab.exe 2072 Cgcnghpl.exe 668 Cegoqlof.exe 2328 Dmbcen32.exe 2648 Dfkhndca.exe 1636 Dpcmgi32.exe 1732 Dilapopb.exe 1828 Ddaemh32.exe 860 Dlljaj32.exe 1720 Deenjpcd.exe 908 Domccejd.exe 1656 Eibgpnjk.exe 780 Ekdchf32.exe 2388 Ebklic32.exe 1564 Ehhdaj32.exe 3032 Eoblnd32.exe 2560 Edoefl32.exe 2888 Emgioakg.exe 2776 Ehlmljkm.exe 2176 Einjdb32.exe 2736 Edcnakpa.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe 2356 9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe 2196 Jlphbbbg.exe 2196 Jlphbbbg.exe 2540 Khghgchk.exe 2540 Khghgchk.exe 2720 Kncaojfb.exe 2720 Kncaojfb.exe 2724 Lonpma32.exe 2724 Lonpma32.exe 2876 Loqmba32.exe 2876 Loqmba32.exe 2664 Lohccp32.exe 2664 Lohccp32.exe 2104 Mqklqhpg.exe 2104 Mqklqhpg.exe 1752 Mqpflg32.exe 1752 Mqpflg32.exe 2516 Mbcoio32.exe 2516 Mbcoio32.exe 1708 Nbjeinje.exe 1708 Nbjeinje.exe 1196 Neiaeiii.exe 1196 Neiaeiii.exe 316 Njhfcp32.exe 316 Njhfcp32.exe 2856 Nenkqi32.exe 2856 Nenkqi32.exe 2940 Padhdm32.exe 2940 Padhdm32.exe 2596 Phnpagdp.exe 2596 Phnpagdp.exe 1820 Pafdjmkq.exe 1820 Pafdjmkq.exe 2040 Pgcmbcih.exe 2040 Pgcmbcih.exe 2588 Paiaplin.exe 2588 Paiaplin.exe 1384 Pkaehb32.exe 1384 Pkaehb32.exe 1076 Pdjjag32.exe 1076 Pdjjag32.exe 2280 Pnbojmmp.exe 2280 Pnbojmmp.exe 1192 Qgjccb32.exe 1192 Qgjccb32.exe 2116 Qpbglhjq.exe 2116 Qpbglhjq.exe 2244 Qeppdo32.exe 2244 Qeppdo32.exe 372 Aohdmdoh.exe 372 Aohdmdoh.exe 2832 Ahpifj32.exe 2832 Ahpifj32.exe 2828 Acfmcc32.exe 2828 Acfmcc32.exe 2956 Akabgebj.exe 2956 Akabgebj.exe 2900 Adifpk32.exe 2900 Adifpk32.exe 2644 Anbkipok.exe 2644 Anbkipok.exe 3044 Akfkbd32.exe 3044 Akfkbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pccohd32.dll Jfmkbebl.exe File created C:\Windows\SysWOW64\Glffke32.dll Ekdchf32.exe File opened for modification C:\Windows\SysWOW64\Nfgjml32.exe Ncinap32.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Ebnabb32.exe Ejcmmp32.exe File created C:\Windows\SysWOW64\Hjfnnajl.exe Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Oaogognm.exe Odkgec32.exe File opened for modification C:\Windows\SysWOW64\Kdphjm32.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Njhfcp32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pdjjag32.exe File opened for modification C:\Windows\SysWOW64\Bieopm32.exe Boljgg32.exe File created C:\Windows\SysWOW64\Fikbiheg.dll Cegoqlof.exe File created C:\Windows\SysWOW64\Onipnblf.dll Modlbmmn.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Bieopm32.exe File opened for modification C:\Windows\SysWOW64\Ngpqfp32.exe Mdadjd32.exe File created C:\Windows\SysWOW64\Fdpojm32.dll Nmflee32.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Akabgebj.exe File created C:\Windows\SysWOW64\Hjmicg32.dll Lkicbk32.exe File created C:\Windows\SysWOW64\Djlfma32.exe Dgnjqe32.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Bieopm32.exe Boljgg32.exe File created C:\Windows\SysWOW64\Ndlaqocp.dll Hcajhi32.exe File created C:\Windows\SysWOW64\Phfoee32.exe Pehcij32.exe File created C:\Windows\SysWOW64\Qpbglhjq.exe Qgjccb32.exe File created C:\Windows\SysWOW64\Acicla32.exe Apkgpf32.exe File opened for modification C:\Windows\SysWOW64\Fdkmeiei.exe Famaimfe.exe File created C:\Windows\SysWOW64\Clffbc32.dll Hgnokgcc.exe File created C:\Windows\SysWOW64\Aaejojjq.exe Ahmefdcp.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cmkfji32.exe File created C:\Windows\SysWOW64\Elibpg32.exe Ebqngb32.exe File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe Qpbglhjq.exe File created C:\Windows\SysWOW64\Ljamki32.dll Qpbglhjq.exe File opened for modification C:\Windows\SysWOW64\Deenjpcd.exe Dlljaj32.exe File created C:\Windows\SysWOW64\Edoefl32.exe Eoblnd32.exe File opened for modification C:\Windows\SysWOW64\Nmflee32.exe Ncmglp32.exe File created C:\Windows\SysWOW64\Einjdb32.exe Ehlmljkm.exe File created C:\Windows\SysWOW64\Jajmjcoe.exe Jokqnhpa.exe File created C:\Windows\SysWOW64\Lhkbmo32.dll Djlfma32.exe File created C:\Windows\SysWOW64\Aacjid32.dll Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Hnnhngjf.exe Hiqoeplo.exe File created C:\Windows\SysWOW64\Ckeqga32.exe Bqolji32.exe File opened for modification C:\Windows\SysWOW64\Cjljnn32.exe Cqdfehii.exe File created C:\Windows\SysWOW64\Icdcllpc.exe Imjkpb32.exe File created C:\Windows\SysWOW64\Jigbebhb.exe Jbnjhh32.exe File created C:\Windows\SysWOW64\Henmilod.dll Oflpgnld.exe File created C:\Windows\SysWOW64\Leghmkmk.dll Dfhdnn32.exe File created C:\Windows\SysWOW64\Nbhebh32.dll Honnki32.exe File created C:\Windows\SysWOW64\Fcmdnfad.exe Fiepea32.exe File created C:\Windows\SysWOW64\Hfbcidmk.exe Hcdgmimg.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jhahanie.exe File created C:\Windows\SysWOW64\Fmikim32.dll Kigndekn.exe File opened for modification C:\Windows\SysWOW64\Fkqlgc32.exe Fbegbacp.exe File created C:\Windows\SysWOW64\Agbbgqhh.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe Khjgel32.exe File created C:\Windows\SysWOW64\Pehcij32.exe Pbigmn32.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Lohccp32.exe File opened for modification C:\Windows\SysWOW64\Ehhdaj32.exe Ebklic32.exe File opened for modification C:\Windows\SysWOW64\Hbkqdepm.exe Homdhjai.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mhjcec32.exe File created C:\Windows\SysWOW64\Oniebmda.exe Oimmjffj.exe File created C:\Windows\SysWOW64\Ibbclaqa.dll Hiqoeplo.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Ijjnkj32.dll Kbmome32.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Emgioakg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4176 4152 WerFault.exe 339 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbcidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfepod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domccejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipgjaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdcllpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlljaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbpne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekgjno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmqgmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqkofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdffoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpadcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obbdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopmpa32.dll" Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aondioej.dll" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjnhhjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpfplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhknco32.dll" Jijokbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Famaimfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijjok32.dll" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpcmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklfipaq.dll" Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfmmcec.dll" Fdekgjno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgfj32.dll" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijkocg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qldhkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnokgjk.dll" Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjkhi32.dll" Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqolji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjigmkld.dll" Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnnpb32.dll" Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghanagbo.dll" Llmmpcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maadfi32.dll" Ipomlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echjfecq.dll" Dlljaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkmghhf.dll" Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iebldo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Godaakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfeflj32.dll" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngpqfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbggodl.dll" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll" Ibhicbao.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2196 2356 9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe 31 PID 2356 wrote to memory of 2196 2356 9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe 31 PID 2356 wrote to memory of 2196 2356 9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe 31 PID 2356 wrote to memory of 2196 2356 9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe 31 PID 2196 wrote to memory of 2540 2196 Jlphbbbg.exe 32 PID 2196 wrote to memory of 2540 2196 Jlphbbbg.exe 32 PID 2196 wrote to memory of 2540 2196 Jlphbbbg.exe 32 PID 2196 wrote to memory of 2540 2196 Jlphbbbg.exe 32 PID 2540 wrote to memory of 2720 2540 Khghgchk.exe 33 PID 2540 wrote to memory of 2720 2540 Khghgchk.exe 33 PID 2540 wrote to memory of 2720 2540 Khghgchk.exe 33 PID 2540 wrote to memory of 2720 2540 Khghgchk.exe 33 PID 2720 wrote to memory of 2724 2720 Kncaojfb.exe 34 PID 2720 wrote to memory of 2724 2720 Kncaojfb.exe 34 PID 2720 wrote to memory of 2724 2720 Kncaojfb.exe 34 PID 2720 wrote to memory of 2724 2720 Kncaojfb.exe 34 PID 2724 wrote to memory of 2876 2724 Lonpma32.exe 35 PID 2724 wrote to memory of 2876 2724 Lonpma32.exe 35 PID 2724 wrote to memory of 2876 2724 Lonpma32.exe 35 PID 2724 wrote to memory of 2876 2724 Lonpma32.exe 35 PID 2876 wrote to memory of 2664 2876 Loqmba32.exe 36 PID 2876 wrote to memory of 2664 2876 Loqmba32.exe 36 PID 2876 wrote to memory of 2664 2876 Loqmba32.exe 36 PID 2876 wrote to memory of 2664 2876 Loqmba32.exe 36 PID 2664 wrote to memory of 2104 2664 Lohccp32.exe 37 PID 2664 wrote to memory of 2104 2664 Lohccp32.exe 37 PID 2664 wrote to memory of 2104 2664 Lohccp32.exe 37 PID 2664 wrote to memory of 2104 2664 Lohccp32.exe 37 PID 2104 wrote to memory of 1752 2104 Mqklqhpg.exe 38 PID 2104 wrote to memory of 1752 2104 Mqklqhpg.exe 38 PID 2104 wrote to memory of 1752 2104 Mqklqhpg.exe 38 PID 2104 wrote to memory of 1752 2104 Mqklqhpg.exe 38 PID 1752 wrote to memory of 2516 1752 Mqpflg32.exe 39 PID 1752 wrote to memory of 2516 1752 Mqpflg32.exe 39 PID 1752 wrote to memory of 2516 1752 Mqpflg32.exe 39 PID 1752 wrote to memory of 2516 1752 Mqpflg32.exe 39 PID 2516 wrote to memory of 1708 2516 Mbcoio32.exe 40 PID 2516 wrote to memory of 1708 2516 Mbcoio32.exe 40 PID 2516 wrote to memory of 1708 2516 Mbcoio32.exe 40 PID 2516 wrote to memory of 1708 2516 Mbcoio32.exe 40 PID 1708 wrote to memory of 1196 1708 Nbjeinje.exe 41 PID 1708 wrote to memory of 1196 1708 Nbjeinje.exe 41 PID 1708 wrote to memory of 1196 1708 Nbjeinje.exe 41 PID 1708 wrote to memory of 1196 1708 Nbjeinje.exe 41 PID 1196 wrote to memory of 316 1196 Neiaeiii.exe 42 PID 1196 wrote to memory of 316 1196 Neiaeiii.exe 42 PID 1196 wrote to memory of 316 1196 Neiaeiii.exe 42 PID 1196 wrote to memory of 316 1196 Neiaeiii.exe 42 PID 316 wrote to memory of 2856 316 Njhfcp32.exe 43 PID 316 wrote to memory of 2856 316 Njhfcp32.exe 43 PID 316 wrote to memory of 2856 316 Njhfcp32.exe 43 PID 316 wrote to memory of 2856 316 Njhfcp32.exe 43 PID 2856 wrote to memory of 2940 2856 Nenkqi32.exe 44 PID 2856 wrote to memory of 2940 2856 Nenkqi32.exe 44 PID 2856 wrote to memory of 2940 2856 Nenkqi32.exe 44 PID 2856 wrote to memory of 2940 2856 Nenkqi32.exe 44 PID 2940 wrote to memory of 2596 2940 Padhdm32.exe 45 PID 2940 wrote to memory of 2596 2940 Padhdm32.exe 45 PID 2940 wrote to memory of 2596 2940 Padhdm32.exe 45 PID 2940 wrote to memory of 2596 2940 Padhdm32.exe 45 PID 2596 wrote to memory of 1820 2596 Phnpagdp.exe 46 PID 2596 wrote to memory of 1820 2596 Phnpagdp.exe 46 PID 2596 wrote to memory of 1820 2596 Phnpagdp.exe 46 PID 2596 wrote to memory of 1820 2596 Phnpagdp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe"C:\Users\Admin\AppData\Local\Temp\9577a832893a68633c6a9f36fba48acac3ef1c6679013be2dab1d5ee75465ca3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:372 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe34⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe35⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe39⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe40⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe41⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe43⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe44⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe48⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe49⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe54⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe56⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe61⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe64⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe65⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe68⤵PID:1640
-
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe69⤵PID:3048
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe70⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe71⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe73⤵PID:1864
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe74⤵
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe75⤵PID:648
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe77⤵PID:2892
-
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe78⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe79⤵PID:1592
-
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe81⤵PID:2460
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe82⤵PID:2844
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe86⤵PID:2636
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe87⤵PID:2028
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe88⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe89⤵PID:1936
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe90⤵PID:1780
-
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe91⤵
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe92⤵PID:1512
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe94⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe95⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe96⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe97⤵PID:604
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe101⤵PID:1420
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe103⤵PID:816
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe104⤵PID:3052
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe105⤵PID:768
-
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe106⤵PID:2668
-
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe107⤵PID:1336
-
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe108⤵PID:1488
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe109⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe111⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe117⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe118⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe119⤵PID:2748
-
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe120⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-