Analysis
-
max time kernel
149s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 23:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe
-
Size
360KB
-
MD5
ae37c9b22549bba299cc36fd694042f9
-
SHA1
f9c6bed9e4ad09fbe7af8dd95cfb000114055ece
-
SHA256
7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721
-
SHA512
75ce90a1a96e4a66afb2995f36ae8c33f4722599e6f9c4ffd596f9518b84ad5f0dcd7ceceffbad55155639896e07b4539e481977c2a2cbc9b27ecbd69ab5aedc
-
SSDEEP
6144:+LpEtCpX2/mnbzvdLaD6OkPgl6bmIjlQFxU:ZCpXImbzQD6OkPgl6bmIjKxU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfhhicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfioha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keimhmmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngajeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpgdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anepooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeaeolo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiiapg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcekdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhpdlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjabhjec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifkni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phacnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjeckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddjcbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnlee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiiono32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfioha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjabhjec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjcllq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhlilip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opokbdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphlokep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdqdahc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aedghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbadcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdehmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eljkqfko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbninke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjeedio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnokjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkihe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoafcjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoghnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnpmgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadckp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdide32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmmkgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgiffg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcppgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcooh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcqbdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbajjiml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jclqefac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coejfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoplkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kchaniho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmijij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplppela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjlpclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqdfmihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfogeamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffmqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnkggfe.exe -
Executes dropped EXE 64 IoCs
pid Process 2556 Ilcfjkgj.exe 2196 Iaqnbb32.exe 316 Iqhhin32.exe 2820 Jbgdcapi.exe 2612 Jdhmel32.exe 2920 Jgiffg32.exe 2716 Kbedmedg.exe 980 Knldaf32.exe 688 Kehidp32.exe 1320 Lmjdia32.exe 1200 Lopjlh32.exe 1812 Lobgah32.exe 2220 Mddidnqa.exe 572 Mkqnghfk.exe 2080 Nelkme32.exe 2068 Nimaic32.exe 1988 Ohdkop32.exe 2976 Oncpmf32.exe 1664 Ojjqbg32.exe 2016 Onhihepp.exe 612 Pfekbg32.exe 2268 Pblkgh32.exe 2124 Pemdic32.exe 1504 Aamhdckg.exe 3068 Aedghf32.exe 2908 Bamdcf32.exe 2444 Bpbadcbj.exe 2204 Baannfim.exe 2968 Bgablmfa.exe 2808 Cpigeblb.exe 2240 Cehlbihg.exe 852 Cclmlm32.exe 1092 Coejfn32.exe 928 Dhnoocab.exe 2488 Dcgppana.exe 760 Dgehfodh.exe 1300 Dpnmoe32.exe 1760 Dlgjie32.exe 2104 Eligoe32.exe 1936 Ehphdf32.exe 2284 Ebkibk32.exe 2244 Emdjbi32.exe 2504 Fgjnpb32.exe 1376 Fglkeaqk.exe 1704 Fmicnhob.exe 472 Fpjlpclc.exe 2416 Flqmddah.exe 1728 Fidmniqa.exe 1696 Gapbbk32.exe 2348 Genkhidc.exe 2812 Gjjcqpbj.exe 2752 Gdchifik.exe 2760 Gnhlgoia.exe 2876 Gjomlp32.exe 1312 Gffmqq32.exe 2584 Hdjnje32.exe 1264 Hlebog32.exe 1636 Hmdohj32.exe 1124 Hfmcapna.exe 1416 Hpehje32.exe 2276 Hhqmogam.exe 2248 Idgmch32.exe 1628 Iaknmm32.exe 2300 Ighfecdb.exe -
Loads dropped DLL 64 IoCs
pid Process 3004 7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe 3004 7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe 2556 Ilcfjkgj.exe 2556 Ilcfjkgj.exe 2196 Iaqnbb32.exe 2196 Iaqnbb32.exe 316 Iqhhin32.exe 316 Iqhhin32.exe 2820 Jbgdcapi.exe 2820 Jbgdcapi.exe 2612 Jdhmel32.exe 2612 Jdhmel32.exe 2920 Jgiffg32.exe 2920 Jgiffg32.exe 2716 Kbedmedg.exe 2716 Kbedmedg.exe 980 Knldaf32.exe 980 Knldaf32.exe 688 Kehidp32.exe 688 Kehidp32.exe 1320 Lmjdia32.exe 1320 Lmjdia32.exe 1200 Lopjlh32.exe 1200 Lopjlh32.exe 1812 Lobgah32.exe 1812 Lobgah32.exe 2220 Mddidnqa.exe 2220 Mddidnqa.exe 572 Mkqnghfk.exe 572 Mkqnghfk.exe 2080 Nelkme32.exe 2080 Nelkme32.exe 2068 Nimaic32.exe 2068 Nimaic32.exe 1988 Ohdkop32.exe 1988 Ohdkop32.exe 2976 Oncpmf32.exe 2976 Oncpmf32.exe 1664 Ojjqbg32.exe 1664 Ojjqbg32.exe 2016 Onhihepp.exe 2016 Onhihepp.exe 612 Pfekbg32.exe 612 Pfekbg32.exe 2268 Pblkgh32.exe 2268 Pblkgh32.exe 2124 Pemdic32.exe 2124 Pemdic32.exe 1504 Aamhdckg.exe 1504 Aamhdckg.exe 3068 Aedghf32.exe 3068 Aedghf32.exe 2908 Bamdcf32.exe 2908 Bamdcf32.exe 2444 Bpbadcbj.exe 2444 Bpbadcbj.exe 2204 Baannfim.exe 2204 Baannfim.exe 2968 Bgablmfa.exe 2968 Bgablmfa.exe 2808 Cpigeblb.exe 2808 Cpigeblb.exe 2240 Cehlbihg.exe 2240 Cehlbihg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfachoeo.dll Mjoecjgf.exe File created C:\Windows\SysWOW64\Jclqefac.exe Jjcllq32.exe File created C:\Windows\SysWOW64\Almhmg32.dll Ngajeg32.exe File created C:\Windows\SysWOW64\Oihacbfh.exe Oieencik.exe File created C:\Windows\SysWOW64\Okcfob32.dll Dlepmnhq.exe File created C:\Windows\SysWOW64\Jjldbiig.exe Iikgkq32.exe File created C:\Windows\SysWOW64\Kmfpjb32.exe Jpboan32.exe File created C:\Windows\SysWOW64\Nngjbfpa.exe Nbqjne32.exe File created C:\Windows\SysWOW64\Lhjjle32.exe Khgnff32.exe File created C:\Windows\SysWOW64\Nlljfhjn.dll Kpgkef32.exe File created C:\Windows\SysWOW64\Kchaniho.exe Kceehijb.exe File created C:\Windows\SysWOW64\Cfgcec32.dll Plnmcl32.exe File opened for modification C:\Windows\SysWOW64\Lpcppgff.exe Kcmpjfqa.exe File opened for modification C:\Windows\SysWOW64\Abkqle32.exe Qbidffao.exe File created C:\Windows\SysWOW64\Dhlelc32.dll Lhjjle32.exe File created C:\Windows\SysWOW64\Bkqnod32.dll Eomaha32.exe File created C:\Windows\SysWOW64\Pdcjba32.dll Ndmidq32.exe File opened for modification C:\Windows\SysWOW64\Kpgkef32.exe Kbcjkbdi.exe File opened for modification C:\Windows\SysWOW64\Ogcddjpo.exe Oddhho32.exe File created C:\Windows\SysWOW64\Flqmddah.exe Fpjlpclc.exe File created C:\Windows\SysWOW64\Giihlbcj.dll Flqmddah.exe File created C:\Windows\SysWOW64\Ljakkd32.exe Lgcooh32.exe File created C:\Windows\SysWOW64\Kjmnfk32.exe Klinmg32.exe File opened for modification C:\Windows\SysWOW64\Cbhhbojn.exe Cfagmn32.exe File created C:\Windows\SysWOW64\Oncpmf32.exe Ohdkop32.exe File opened for modification C:\Windows\SysWOW64\Pghmeikh.exe Pnphlc32.exe File opened for modification C:\Windows\SysWOW64\Medggj32.exe Mjocja32.exe File created C:\Windows\SysWOW64\Mmgiqkpb.dll Gbmdpg32.exe File opened for modification C:\Windows\SysWOW64\Lgnqbl32.exe Lkgpmj32.exe File created C:\Windows\SysWOW64\Phpkjoim.exe Olijen32.exe File opened for modification C:\Windows\SysWOW64\Aedghf32.exe Aamhdckg.exe File opened for modification C:\Windows\SysWOW64\Ibfcei32.exe Hnhjok32.exe File created C:\Windows\SysWOW64\Aebfof32.dll Iiiapg32.exe File opened for modification C:\Windows\SysWOW64\Iikgkq32.exe Ilggal32.exe File created C:\Windows\SysWOW64\Jlcpqj32.exe Jpmoki32.exe File opened for modification C:\Windows\SysWOW64\Fglkeaqk.exe Fgjnpb32.exe File created C:\Windows\SysWOW64\Nahhfoij.exe Npgknf32.exe File opened for modification C:\Windows\SysWOW64\Hmqjoljn.exe Hmnmil32.exe File created C:\Windows\SysWOW64\Njifhk32.dll Khbpii32.exe File created C:\Windows\SysWOW64\Bjmodd32.dll Jkdanngk.exe File opened for modification C:\Windows\SysWOW64\Cagpldqg.exe Blkgdmbp.exe File created C:\Windows\SysWOW64\Fchgnj32.exe Fmlblq32.exe File opened for modification C:\Windows\SysWOW64\Edgfpbcl.exe Epimjd32.exe File opened for modification C:\Windows\SysWOW64\Kkpgdc32.exe Kdfogiil.exe File created C:\Windows\SysWOW64\Oijbkpqm.exe Ohifch32.exe File created C:\Windows\SysWOW64\Fmbninke.exe Eomaha32.exe File created C:\Windows\SysWOW64\Mniiepja.dll Okmena32.exe File created C:\Windows\SysWOW64\Adallm32.dll Hjeacf32.exe File opened for modification C:\Windows\SysWOW64\Kkjeedio.exe Jookedhp.exe File created C:\Windows\SysWOW64\Afdmphme.exe Qjmmkgga.exe File opened for modification C:\Windows\SysWOW64\Ahcoli32.exe Qcgfcbbh.exe File created C:\Windows\SysWOW64\Fikkcnog.exe Fiiono32.exe File created C:\Windows\SysWOW64\Oofbph32.exe Oeidlc32.exe File created C:\Windows\SysWOW64\Klnkgjif.dll Apjdin32.exe File created C:\Windows\SysWOW64\Ghlacg32.dll Lgfmmaem.exe File created C:\Windows\SysWOW64\Edgfpbcl.exe Epimjd32.exe File created C:\Windows\SysWOW64\Gpknep32.dll Lobgah32.exe File created C:\Windows\SysWOW64\Hpnbmmmp.dll Fifkni32.exe File opened for modification C:\Windows\SysWOW64\Pbmoke32.exe Pffnfdhg.exe File created C:\Windows\SysWOW64\Dhkbak32.dll Lphjkfbq.exe File created C:\Windows\SysWOW64\Ejgkkf32.dll Bmogkkkd.exe File created C:\Windows\SysWOW64\Clqjblij.exe Cpjimk32.exe File opened for modification C:\Windows\SysWOW64\Neihmpon.exe Mfdklc32.exe File created C:\Windows\SysWOW64\Jflkin32.dll Ieoiai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3740 3660 WerFault.exe 568 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlilfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljkqfko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikkcnog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoiai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eempcfbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihdblpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okamjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfogiil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbajjiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacenp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcbapdgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeidlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epchbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpmgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfmmaem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemnbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfllcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijodiedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgknf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhjok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodfilko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaaplbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epckkeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlhpjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoghnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einljkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmcapna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndjei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fifkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoipflcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcnleom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgjhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lceond32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepjgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpboan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjabhjec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgfpbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmoke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdaedhoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdehmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjjlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfkkmaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncpmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqmddah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpbiaqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idffib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlepmnhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhqnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdinbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmbhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albijp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofono32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pemedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopjlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghlhpiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpgehhj.dll" Lbdiabcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecnblah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Debcjiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfimhnl.dll" Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndnncf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkla32.dll" Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipfhbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphlokep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olanhheq.dll" Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpehje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpbiaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljadqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmilachg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbmoke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moelgh32.dll" Fqhegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmponfo.dll" Icgkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagpldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjpfago.dll" Olhhmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmobn32.dll" Lajgnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkcfdgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhddcifo.dll" Dcgppana.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nejjfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnmjcep.dll" Mnqhcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlljfhjn.dll" Kpgkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celocqfm.dll" Mlbadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjaknoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhlilip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqapek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnebgcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goagaded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anepooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cappmkaa.dll" Dfoplkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgoqjl32.dll" Ojkcfdgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncgfohq.dll" Mgnjhfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medggj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhjjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohphighh.dll" Gickgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkeeqckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mafoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlekj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcdinbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhffghb.dll" Fldeakgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idgmch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnokjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohifch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacgolle.dll" Debcjiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaknmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkpa32.dll" Bqhffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fliaecjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heaean32.dll" Ifckaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plnmcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2556 3004 7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe 29 PID 3004 wrote to memory of 2556 3004 7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe 29 PID 3004 wrote to memory of 2556 3004 7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe 29 PID 3004 wrote to memory of 2556 3004 7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe 29 PID 2556 wrote to memory of 2196 2556 Ilcfjkgj.exe 30 PID 2556 wrote to memory of 2196 2556 Ilcfjkgj.exe 30 PID 2556 wrote to memory of 2196 2556 Ilcfjkgj.exe 30 PID 2556 wrote to memory of 2196 2556 Ilcfjkgj.exe 30 PID 2196 wrote to memory of 316 2196 Iaqnbb32.exe 31 PID 2196 wrote to memory of 316 2196 Iaqnbb32.exe 31 PID 2196 wrote to memory of 316 2196 Iaqnbb32.exe 31 PID 2196 wrote to memory of 316 2196 Iaqnbb32.exe 31 PID 316 wrote to memory of 2820 316 Iqhhin32.exe 32 PID 316 wrote to memory of 2820 316 Iqhhin32.exe 32 PID 316 wrote to memory of 2820 316 Iqhhin32.exe 32 PID 316 wrote to memory of 2820 316 Iqhhin32.exe 32 PID 2820 wrote to memory of 2612 2820 Jbgdcapi.exe 33 PID 2820 wrote to memory of 2612 2820 Jbgdcapi.exe 33 PID 2820 wrote to memory of 2612 2820 Jbgdcapi.exe 33 PID 2820 wrote to memory of 2612 2820 Jbgdcapi.exe 33 PID 2612 wrote to memory of 2920 2612 Jdhmel32.exe 34 PID 2612 wrote to memory of 2920 2612 Jdhmel32.exe 34 PID 2612 wrote to memory of 2920 2612 Jdhmel32.exe 34 PID 2612 wrote to memory of 2920 2612 Jdhmel32.exe 34 PID 2920 wrote to memory of 2716 2920 Jgiffg32.exe 35 PID 2920 wrote to memory of 2716 2920 Jgiffg32.exe 35 PID 2920 wrote to memory of 2716 2920 Jgiffg32.exe 35 PID 2920 wrote to memory of 2716 2920 Jgiffg32.exe 35 PID 2716 wrote to memory of 980 2716 Kbedmedg.exe 36 PID 2716 wrote to memory of 980 2716 Kbedmedg.exe 36 PID 2716 wrote to memory of 980 2716 Kbedmedg.exe 36 PID 2716 wrote to memory of 980 2716 Kbedmedg.exe 36 PID 980 wrote to memory of 688 980 Knldaf32.exe 37 PID 980 wrote to memory of 688 980 Knldaf32.exe 37 PID 980 wrote to memory of 688 980 Knldaf32.exe 37 PID 980 wrote to memory of 688 980 Knldaf32.exe 37 PID 688 wrote to memory of 1320 688 Kehidp32.exe 38 PID 688 wrote to memory of 1320 688 Kehidp32.exe 38 PID 688 wrote to memory of 1320 688 Kehidp32.exe 38 PID 688 wrote to memory of 1320 688 Kehidp32.exe 38 PID 1320 wrote to memory of 1200 1320 Lmjdia32.exe 39 PID 1320 wrote to memory of 1200 1320 Lmjdia32.exe 39 PID 1320 wrote to memory of 1200 1320 Lmjdia32.exe 39 PID 1320 wrote to memory of 1200 1320 Lmjdia32.exe 39 PID 1200 wrote to memory of 1812 1200 Lopjlh32.exe 40 PID 1200 wrote to memory of 1812 1200 Lopjlh32.exe 40 PID 1200 wrote to memory of 1812 1200 Lopjlh32.exe 40 PID 1200 wrote to memory of 1812 1200 Lopjlh32.exe 40 PID 1812 wrote to memory of 2220 1812 Lobgah32.exe 41 PID 1812 wrote to memory of 2220 1812 Lobgah32.exe 41 PID 1812 wrote to memory of 2220 1812 Lobgah32.exe 41 PID 1812 wrote to memory of 2220 1812 Lobgah32.exe 41 PID 2220 wrote to memory of 572 2220 Mddidnqa.exe 42 PID 2220 wrote to memory of 572 2220 Mddidnqa.exe 42 PID 2220 wrote to memory of 572 2220 Mddidnqa.exe 42 PID 2220 wrote to memory of 572 2220 Mddidnqa.exe 42 PID 572 wrote to memory of 2080 572 Mkqnghfk.exe 43 PID 572 wrote to memory of 2080 572 Mkqnghfk.exe 43 PID 572 wrote to memory of 2080 572 Mkqnghfk.exe 43 PID 572 wrote to memory of 2080 572 Mkqnghfk.exe 43 PID 2080 wrote to memory of 2068 2080 Nelkme32.exe 44 PID 2080 wrote to memory of 2068 2080 Nelkme32.exe 44 PID 2080 wrote to memory of 2068 2080 Nelkme32.exe 44 PID 2080 wrote to memory of 2068 2080 Nelkme32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe"C:\Users\Admin\AppData\Local\Temp\7b3988dce5b25226820ebc984310fc56b46810a5e0b3a7f8c9fb80ecc324f721.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Lmjdia32.exeC:\Windows\system32\Lmjdia32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Bgablmfa.exeC:\Windows\system32\Bgablmfa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe33⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Coejfn32.exeC:\Windows\system32\Coejfn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe35⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Dcgppana.exeC:\Windows\system32\Dcgppana.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Dgehfodh.exeC:\Windows\system32\Dgehfodh.exe37⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe38⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Dlgjie32.exeC:\Windows\system32\Dlgjie32.exe39⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Eligoe32.exeC:\Windows\system32\Eligoe32.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe41⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe42⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe43⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Fgjnpb32.exeC:\Windows\system32\Fgjnpb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Fglkeaqk.exeC:\Windows\system32\Fglkeaqk.exe45⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Fmicnhob.exeC:\Windows\system32\Fmicnhob.exe46⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Flqmddah.exeC:\Windows\system32\Flqmddah.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe49⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Gjjcqpbj.exeC:\Windows\system32\Gjjcqpbj.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Gdchifik.exeC:\Windows\system32\Gdchifik.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Gnhlgoia.exeC:\Windows\system32\Gnhlgoia.exe54⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Gjomlp32.exeC:\Windows\system32\Gjomlp32.exe55⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe57⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Hlebog32.exeC:\Windows\system32\Hlebog32.exe58⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Hmdohj32.exeC:\Windows\system32\Hmdohj32.exe59⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Hfmcapna.exeC:\Windows\system32\Hfmcapna.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Hpehje32.exeC:\Windows\system32\Hpehje32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe62⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Idgmch32.exeC:\Windows\system32\Idgmch32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Iaknmm32.exeC:\Windows\system32\Iaknmm32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ighfecdb.exeC:\Windows\system32\Ighfecdb.exe65⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Iankbldh.exeC:\Windows\system32\Iankbldh.exe66⤵PID:2560
-
C:\Windows\SysWOW64\Iiiogoac.exeC:\Windows\system32\Iiiogoac.exe67⤵PID:2964
-
C:\Windows\SysWOW64\Idncdgai.exeC:\Windows\system32\Idncdgai.exe68⤵PID:2544
-
C:\Windows\SysWOW64\Infhmmhi.exeC:\Windows\system32\Infhmmhi.exe69⤵PID:2004
-
C:\Windows\SysWOW64\Iniebmfg.exeC:\Windows\system32\Iniebmfg.exe70⤵PID:2116
-
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe71⤵PID:588
-
C:\Windows\SysWOW64\Jpjndh32.exeC:\Windows\system32\Jpjndh32.exe72⤵PID:2884
-
C:\Windows\SysWOW64\Jookedhp.exeC:\Windows\system32\Jookedhp.exe73⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Kkjeedio.exeC:\Windows\system32\Kkjeedio.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Kchfpf32.exeC:\Windows\system32\Kchfpf32.exe75⤵PID:2856
-
C:\Windows\SysWOW64\Kgfoee32.exeC:\Windows\system32\Kgfoee32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Kcmpjfqa.exeC:\Windows\system32\Kcmpjfqa.exe77⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Lpcppgff.exeC:\Windows\system32\Lpcppgff.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Lbdiabcg.exeC:\Windows\system32\Lbdiabcg.exe79⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Lphjkfbq.exeC:\Windows\system32\Lphjkfbq.exe80⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Lgcooh32.exeC:\Windows\system32\Lgcooh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Ljakkd32.exeC:\Windows\system32\Ljakkd32.exe82⤵PID:2336
-
C:\Windows\SysWOW64\Lgekdh32.exeC:\Windows\system32\Lgekdh32.exe83⤵PID:756
-
C:\Windows\SysWOW64\Lcllii32.exeC:\Windows\system32\Lcllii32.exe84⤵PID:1592
-
C:\Windows\SysWOW64\Mmepboin.exeC:\Windows\system32\Mmepboin.exe85⤵PID:2092
-
C:\Windows\SysWOW64\Mfmekd32.exeC:\Windows\system32\Mfmekd32.exe86⤵PID:2804
-
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe87⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Mphfji32.exeC:\Windows\system32\Mphfji32.exe88⤵PID:2768
-
C:\Windows\SysWOW64\Mipjbokm.exeC:\Windows\system32\Mipjbokm.exe89⤵PID:1996
-
C:\Windows\SysWOW64\Mfdklc32.exeC:\Windows\system32\Mfdklc32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Neihmpon.exeC:\Windows\system32\Neihmpon.exe91⤵PID:2064
-
C:\Windows\SysWOW64\Noalfe32.exeC:\Windows\system32\Noalfe32.exe92⤵PID:2944
-
C:\Windows\SysWOW64\Nlfmoidh.exeC:\Windows\system32\Nlfmoidh.exe93⤵PID:2376
-
C:\Windows\SysWOW64\Nhlndj32.exeC:\Windows\system32\Nhlndj32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Naebmppm.exeC:\Windows\system32\Naebmppm.exe95⤵PID:924
-
C:\Windows\SysWOW64\Ngajeg32.exeC:\Windows\system32\Ngajeg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Nagobp32.exeC:\Windows\system32\Nagobp32.exe97⤵PID:940
-
C:\Windows\SysWOW64\Opllclcb.exeC:\Windows\system32\Opllclcb.exe98⤵PID:564
-
C:\Windows\SysWOW64\Oeidlc32.exeC:\Windows\system32\Oeidlc32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Oofbph32.exeC:\Windows\system32\Oofbph32.exe100⤵PID:2568
-
C:\Windows\SysWOW64\Okmceiii.exeC:\Windows\system32\Okmceiii.exe101⤵PID:2608
-
C:\Windows\SysWOW64\Phacnm32.exeC:\Windows\system32\Phacnm32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Pdhdcnng.exeC:\Windows\system32\Pdhdcnng.exe103⤵PID:592
-
C:\Windows\SysWOW64\Pnphlc32.exeC:\Windows\system32\Pnphlc32.exe104⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Pghmeikh.exeC:\Windows\system32\Pghmeikh.exe105⤵PID:2332
-
C:\Windows\SysWOW64\Pnebgcqb.exeC:\Windows\system32\Pnebgcqb.exe106⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Pqekin32.exeC:\Windows\system32\Pqekin32.exe107⤵PID:1992
-
C:\Windows\SysWOW64\Qcdgei32.exeC:\Windows\system32\Qcdgei32.exe108⤵PID:1512
-
C:\Windows\SysWOW64\Qbidffao.exeC:\Windows\system32\Qbidffao.exe109⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Abkqle32.exeC:\Windows\system32\Abkqle32.exe110⤵PID:2176
-
C:\Windows\SysWOW64\Aghidl32.exeC:\Windows\system32\Aghidl32.exe111⤵PID:1720
-
C:\Windows\SysWOW64\Akfbjkdj.exeC:\Windows\system32\Akfbjkdj.exe112⤵PID:2852
-
C:\Windows\SysWOW64\Ajkokgia.exeC:\Windows\system32\Ajkokgia.exe113⤵PID:2776
-
C:\Windows\SysWOW64\Apjdin32.exeC:\Windows\system32\Apjdin32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Bajqcqli.exeC:\Windows\system32\Bajqcqli.exe115⤵PID:1676
-
C:\Windows\SysWOW64\Bchmolkm.exeC:\Windows\system32\Bchmolkm.exe116⤵PID:1048
-
C:\Windows\SysWOW64\Bpomdmqa.exeC:\Windows\system32\Bpomdmqa.exe117⤵PID:2476
-
C:\Windows\SysWOW64\Bndjei32.exeC:\Windows\system32\Bndjei32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Blhkon32.exeC:\Windows\system32\Blhkon32.exe119⤵PID:2956
-
C:\Windows\SysWOW64\Blkgdmbp.exeC:\Windows\system32\Blkgdmbp.exe120⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Cagpldqg.exeC:\Windows\system32\Cagpldqg.exe121⤵
- Modifies registry class
PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-