Analysis
-
max time kernel
52s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 17:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3693231bba112637fbe67dc5531fc740N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3693231bba112637fbe67dc5531fc740N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3693231bba112637fbe67dc5531fc740N.exe
-
Size
59KB
-
MD5
3693231bba112637fbe67dc5531fc740
-
SHA1
b97374242ef66a8a25ed850074413a843abd52af
-
SHA256
53ddd585f237f388995a4f556c95d292db1a8edeb8fb02b830b9cd2ef1aef10d
-
SHA512
100a5366670ce196f75c9cfc2330f0c326cf2af27d31aa42f0319e4a5e4761e7791a7caacfc9203fb045ab74229e1c408c1b29b08db7edf11a58203dbec71050
-
SSDEEP
768:KJyxB5c6LnB/kz7Zo54FYK3GjZYrN2mMdmpNNRDetsqQ+iKUruM+/1H5eXdnhgPu:TxB5crzR2631eHzouMUWh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohkmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkdnqhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekghdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdgdmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqojfli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckhhgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnfpifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 3693231bba112637fbe67dc5531fc740N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boogmgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heliepmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjleclph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieaofmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkjdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe -
Executes dropped EXE 64 IoCs
pid Process 2376 Ifgpnmom.exe 2012 Ihglhp32.exe 2324 Jpbalb32.exe 2188 Jikeeh32.exe 2892 Jliaac32.exe 2436 Jimbkh32.exe 2880 Jojkco32.exe 2624 Jedcpi32.exe 2276 Jlnklcej.exe 2600 Jajcdjca.exe 544 Jlphbbbg.exe 1148 Jkchmo32.exe 1824 Jehlkhig.exe 2968 Kkeecogo.exe 524 Kekiphge.exe 2976 Kglehp32.exe 1932 Knfndjdp.exe 1128 Kpdjaecc.exe 952 Khkbbc32.exe 2208 Kkjnnn32.exe 828 Kadfkhkf.exe 1548 Kdbbgdjj.exe 1040 Kklkcn32.exe 984 Kddomchg.exe 1616 Klpdaf32.exe 2316 Lcjlnpmo.exe 2100 Lfhhjklc.exe 2144 Lclicpkm.exe 2852 Lfkeokjp.exe 2764 Ldpbpgoh.exe 2648 Llgjaeoj.exe 2748 Loefnpnn.exe 2732 Lhnkffeo.exe 2560 Lddlkg32.exe 2340 Lgchgb32.exe 2020 Mjaddn32.exe 1736 Mqklqhpg.exe 1872 Mggabaea.exe 2928 Mjfnomde.exe 2988 Mmdjkhdh.exe 464 Mfmndn32.exe 1492 Mikjpiim.exe 1436 Mcqombic.exe 1456 Mfokinhf.exe 684 Mpgobc32.exe 552 Nedhjj32.exe 1764 Nipdkieg.exe 2400 Nmkplgnq.exe 2512 Nbhhdnlh.exe 2544 Nefdpjkl.exe 2752 Ngealejo.exe 2848 Nlqmmd32.exe 2620 Nplimbka.exe 1796 Nnoiio32.exe 2140 Nameek32.exe 2680 Neiaeiii.exe 2396 Nhgnaehm.exe 2700 Njfjnpgp.exe 1952 Nbmaon32.exe 2792 Neknki32.exe 2984 Ncnngfna.exe 3012 Nhjjgd32.exe 1524 Njhfcp32.exe 1336 Nncbdomg.exe -
Loads dropped DLL 64 IoCs
pid Process 1320 3693231bba112637fbe67dc5531fc740N.exe 1320 3693231bba112637fbe67dc5531fc740N.exe 2376 Ifgpnmom.exe 2376 Ifgpnmom.exe 2012 Ihglhp32.exe 2012 Ihglhp32.exe 2324 Jpbalb32.exe 2324 Jpbalb32.exe 2188 Jikeeh32.exe 2188 Jikeeh32.exe 2892 Jliaac32.exe 2892 Jliaac32.exe 2436 Jimbkh32.exe 2436 Jimbkh32.exe 2880 Jojkco32.exe 2880 Jojkco32.exe 2624 Jedcpi32.exe 2624 Jedcpi32.exe 2276 Jlnklcej.exe 2276 Jlnklcej.exe 2600 Jajcdjca.exe 2600 Jajcdjca.exe 544 Jlphbbbg.exe 544 Jlphbbbg.exe 1148 Jkchmo32.exe 1148 Jkchmo32.exe 1824 Jehlkhig.exe 1824 Jehlkhig.exe 2968 Kkeecogo.exe 2968 Kkeecogo.exe 524 Kekiphge.exe 524 Kekiphge.exe 2976 Kglehp32.exe 2976 Kglehp32.exe 1932 Knfndjdp.exe 1932 Knfndjdp.exe 1128 Kpdjaecc.exe 1128 Kpdjaecc.exe 952 Khkbbc32.exe 952 Khkbbc32.exe 2208 Kkjnnn32.exe 2208 Kkjnnn32.exe 828 Kadfkhkf.exe 828 Kadfkhkf.exe 1548 Kdbbgdjj.exe 1548 Kdbbgdjj.exe 1040 Kklkcn32.exe 1040 Kklkcn32.exe 984 Kddomchg.exe 984 Kddomchg.exe 1616 Klpdaf32.exe 1616 Klpdaf32.exe 2316 Lcjlnpmo.exe 2316 Lcjlnpmo.exe 2100 Lfhhjklc.exe 2100 Lfhhjklc.exe 2144 Lclicpkm.exe 2144 Lclicpkm.exe 2852 Lfkeokjp.exe 2852 Lfkeokjp.exe 2764 Ldpbpgoh.exe 2764 Ldpbpgoh.exe 2648 Llgjaeoj.exe 2648 Llgjaeoj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pehcij32.exe Pbigmn32.exe File created C:\Windows\SysWOW64\Bcbonpco.dll Jgjkfi32.exe File created C:\Windows\SysWOW64\Djbfplfp.dll Loefnpnn.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Pljlbf32.exe File created C:\Windows\SysWOW64\Kecdbl32.dll Foolgh32.exe File created C:\Windows\SysWOW64\Boogmgkl.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Epeoaffo.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Kbjbge32.exe Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Neiaeiii.exe Nameek32.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Ncnngfna.exe File created C:\Windows\SysWOW64\Afffenbp.exe Achjibcl.exe File opened for modification C:\Windows\SysWOW64\Pbigmn32.exe Ppkjac32.exe File created C:\Windows\SysWOW64\Fhgkakgl.dll Ebklic32.exe File created C:\Windows\SysWOW64\Jhdegn32.exe Jpmmfp32.exe File opened for modification C:\Windows\SysWOW64\Hhkopj32.exe Gqdgom32.exe File created C:\Windows\SysWOW64\Npepbkgb.dll Cfoaho32.exe File created C:\Windows\SysWOW64\Fbbngc32.dll Iamfdo32.exe File opened for modification C:\Windows\SysWOW64\Kklkcn32.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Hgkfal32.exe Heliepmn.exe File created C:\Windows\SysWOW64\Qemldifo.exe Qobdgo32.exe File opened for modification C:\Windows\SysWOW64\Qdompf32.exe Qemldifo.exe File opened for modification C:\Windows\SysWOW64\Klpdaf32.exe Kddomchg.exe File created C:\Windows\SysWOW64\Nedamakn.dll Cjogcm32.exe File created C:\Windows\SysWOW64\Qbkalpla.dll Eeagimdf.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Cbjlhpkb.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qeppdo32.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kbbobkol.exe File created C:\Windows\SysWOW64\Nmflee32.exe Nflchkii.exe File created C:\Windows\SysWOW64\Qldhkc32.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Eioigi32.dll Gqdgom32.exe File created C:\Windows\SysWOW64\Paodbg32.dll Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Djiqdb32.exe Dbaice32.exe File opened for modification C:\Windows\SysWOW64\Mimpkcdn.exe Mqehjecl.exe File created C:\Windows\SysWOW64\Kdbbgdjj.exe Kadfkhkf.exe File opened for modification C:\Windows\SysWOW64\Pmmeon32.exe Pgcmbcih.exe File opened for modification C:\Windows\SysWOW64\Dfkhndca.exe Dcllbhdn.exe File opened for modification C:\Windows\SysWOW64\Qldhkc32.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Dlifadkk.exe Dcbnpgkh.exe File created C:\Windows\SysWOW64\Gddgejcp.dll Mikjpiim.exe File created C:\Windows\SysWOW64\Glffke32.dll Ekdchf32.exe File created C:\Windows\SysWOW64\Jamgla32.dll Lcdhgn32.exe File created C:\Windows\SysWOW64\Ckpckece.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jlphbbbg.exe File created C:\Windows\SysWOW64\Kmhflfhh.dll Kkjnnn32.exe File created C:\Windows\SysWOW64\Kfkigdmm.dll Pmjaohol.exe File created C:\Windows\SysWOW64\Hjfnnajl.exe Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Kmqmod32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Pqdhpbib.dll Mkipao32.exe File created C:\Windows\SysWOW64\Bdfooh32.exe Bbhccm32.exe File created C:\Windows\SysWOW64\Ebfkilbo.dll Fmfocnjg.exe File opened for modification C:\Windows\SysWOW64\Aohdmdoh.exe Alihaioe.exe File created C:\Windows\SysWOW64\Bqgmfkhg.exe Bniajoic.exe File created C:\Windows\SysWOW64\Liempneg.dll Ckmnbg32.exe File created C:\Windows\SysWOW64\Gimfed32.dll Epeekmjk.exe File created C:\Windows\SysWOW64\Dllmckbg.dll Hifbdnbi.exe File created C:\Windows\SysWOW64\Opnbbe32.exe Ompefj32.exe File created C:\Windows\SysWOW64\Kmqmod32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Qoeamo32.exe Qlfdac32.exe File created C:\Windows\SysWOW64\Qopmpa32.dll Aobpfb32.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jkchmo32.exe File opened for modification C:\Windows\SysWOW64\Jdcpkp32.exe Jaecod32.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe Iamfdo32.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lcadghnk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6888 6896 WerFault.exe 640 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpaom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkjheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcmedli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekiphge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkhndca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmmfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmckcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnkifgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpfdeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhkapeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkigdmm.dll" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfooh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiepea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbobkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgph32.dll" Jliaac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conobqhi.dll" Hiclkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginaep32.dll" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkeabdg.dll" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll" Fgocmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfdih32.dll" Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdpmo32.dll" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecbnqcj.dll" Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogfepif.dll" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgklp32.dll" Epnhpglg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nflchkii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjkcehe.dll" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfkilbo.dll" Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjeoijn.dll" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fapeic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoagccfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakcpl32.dll" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebklic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heliepmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" Qpbglhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljmlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgpnmom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2376 1320 3693231bba112637fbe67dc5531fc740N.exe 30 PID 1320 wrote to memory of 2376 1320 3693231bba112637fbe67dc5531fc740N.exe 30 PID 1320 wrote to memory of 2376 1320 3693231bba112637fbe67dc5531fc740N.exe 30 PID 1320 wrote to memory of 2376 1320 3693231bba112637fbe67dc5531fc740N.exe 30 PID 2376 wrote to memory of 2012 2376 Ifgpnmom.exe 31 PID 2376 wrote to memory of 2012 2376 Ifgpnmom.exe 31 PID 2376 wrote to memory of 2012 2376 Ifgpnmom.exe 31 PID 2376 wrote to memory of 2012 2376 Ifgpnmom.exe 31 PID 2012 wrote to memory of 2324 2012 Ihglhp32.exe 32 PID 2012 wrote to memory of 2324 2012 Ihglhp32.exe 32 PID 2012 wrote to memory of 2324 2012 Ihglhp32.exe 32 PID 2012 wrote to memory of 2324 2012 Ihglhp32.exe 32 PID 2324 wrote to memory of 2188 2324 Jpbalb32.exe 33 PID 2324 wrote to memory of 2188 2324 Jpbalb32.exe 33 PID 2324 wrote to memory of 2188 2324 Jpbalb32.exe 33 PID 2324 wrote to memory of 2188 2324 Jpbalb32.exe 33 PID 2188 wrote to memory of 2892 2188 Jikeeh32.exe 34 PID 2188 wrote to memory of 2892 2188 Jikeeh32.exe 34 PID 2188 wrote to memory of 2892 2188 Jikeeh32.exe 34 PID 2188 wrote to memory of 2892 2188 Jikeeh32.exe 34 PID 2892 wrote to memory of 2436 2892 Jliaac32.exe 35 PID 2892 wrote to memory of 2436 2892 Jliaac32.exe 35 PID 2892 wrote to memory of 2436 2892 Jliaac32.exe 35 PID 2892 wrote to memory of 2436 2892 Jliaac32.exe 35 PID 2436 wrote to memory of 2880 2436 Jimbkh32.exe 36 PID 2436 wrote to memory of 2880 2436 Jimbkh32.exe 36 PID 2436 wrote to memory of 2880 2436 Jimbkh32.exe 36 PID 2436 wrote to memory of 2880 2436 Jimbkh32.exe 36 PID 2880 wrote to memory of 2624 2880 Jojkco32.exe 37 PID 2880 wrote to memory of 2624 2880 Jojkco32.exe 37 PID 2880 wrote to memory of 2624 2880 Jojkco32.exe 37 PID 2880 wrote to memory of 2624 2880 Jojkco32.exe 37 PID 2624 wrote to memory of 2276 2624 Jedcpi32.exe 38 PID 2624 wrote to memory of 2276 2624 Jedcpi32.exe 38 PID 2624 wrote to memory of 2276 2624 Jedcpi32.exe 38 PID 2624 wrote to memory of 2276 2624 Jedcpi32.exe 38 PID 2276 wrote to memory of 2600 2276 Jlnklcej.exe 39 PID 2276 wrote to memory of 2600 2276 Jlnklcej.exe 39 PID 2276 wrote to memory of 2600 2276 Jlnklcej.exe 39 PID 2276 wrote to memory of 2600 2276 Jlnklcej.exe 39 PID 2600 wrote to memory of 544 2600 Jajcdjca.exe 40 PID 2600 wrote to memory of 544 2600 Jajcdjca.exe 40 PID 2600 wrote to memory of 544 2600 Jajcdjca.exe 40 PID 2600 wrote to memory of 544 2600 Jajcdjca.exe 40 PID 544 wrote to memory of 1148 544 Jlphbbbg.exe 41 PID 544 wrote to memory of 1148 544 Jlphbbbg.exe 41 PID 544 wrote to memory of 1148 544 Jlphbbbg.exe 41 PID 544 wrote to memory of 1148 544 Jlphbbbg.exe 41 PID 1148 wrote to memory of 1824 1148 Jkchmo32.exe 42 PID 1148 wrote to memory of 1824 1148 Jkchmo32.exe 42 PID 1148 wrote to memory of 1824 1148 Jkchmo32.exe 42 PID 1148 wrote to memory of 1824 1148 Jkchmo32.exe 42 PID 1824 wrote to memory of 2968 1824 Jehlkhig.exe 43 PID 1824 wrote to memory of 2968 1824 Jehlkhig.exe 43 PID 1824 wrote to memory of 2968 1824 Jehlkhig.exe 43 PID 1824 wrote to memory of 2968 1824 Jehlkhig.exe 43 PID 2968 wrote to memory of 524 2968 Kkeecogo.exe 44 PID 2968 wrote to memory of 524 2968 Kkeecogo.exe 44 PID 2968 wrote to memory of 524 2968 Kkeecogo.exe 44 PID 2968 wrote to memory of 524 2968 Kkeecogo.exe 44 PID 524 wrote to memory of 2976 524 Kekiphge.exe 45 PID 524 wrote to memory of 2976 524 Kekiphge.exe 45 PID 524 wrote to memory of 2976 524 Kekiphge.exe 45 PID 524 wrote to memory of 2976 524 Kekiphge.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3693231bba112637fbe67dc5531fc740N.exe"C:\Users\Admin\AppData\Local\Temp\3693231bba112637fbe67dc5531fc740N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe35⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe36⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe37⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe38⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe39⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe40⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe41⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe44⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe45⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe46⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe47⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe48⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe49⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe51⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe52⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe55⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe57⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe58⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe59⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe60⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe61⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe64⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe65⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe66⤵PID:1380
-
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe67⤵PID:2328
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe68⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe69⤵
- System Location Discovery: System Language Discovery
PID:480 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe70⤵PID:1812
-
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe71⤵PID:2060
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe72⤵PID:2500
-
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe73⤵PID:2760
-
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe74⤵PID:2616
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe76⤵PID:2032
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe77⤵PID:1052
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe78⤵PID:2948
-
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe79⤵PID:2972
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe80⤵PID:2584
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe81⤵PID:836
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe82⤵PID:924
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe86⤵PID:2808
-
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe88⤵PID:2008
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe89⤵PID:336
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe90⤵PID:2232
-
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe91⤵PID:2264
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe92⤵PID:2964
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe94⤵PID:2176
-
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe95⤵PID:2448
-
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe98⤵PID:2608
-
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe100⤵PID:2352
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe101⤵PID:392
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe103⤵PID:2944
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe104⤵PID:1156
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe105⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe107⤵PID:1820
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe108⤵PID:3060
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe109⤵PID:2744
-
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe110⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe111⤵PID:1976
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe113⤵PID:2244
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe114⤵
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe115⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe116⤵PID:2284
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe117⤵PID:2116
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe118⤵PID:2312
-
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe119⤵PID:2096
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe120⤵PID:824
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe121⤵
- Drops file in System32 directory
PID:2172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-