Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c425b25588c88bcb70b5e76164a2a7b0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c425b25588c88bcb70b5e76164a2a7b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c425b25588c88bcb70b5e76164a2a7b0N.exe
-
Size
176KB
-
MD5
c425b25588c88bcb70b5e76164a2a7b0
-
SHA1
db3df6a2d44117a04a282ab65dbc5c6c1d774482
-
SHA256
4e3b96a896b62833013b026385ce7a2e3cc122b4d8783ffb0af179a2bb1ccf49
-
SHA512
aba8785e8b2abfa2528ada89fd414394e81d0c52e5287cc020619a79e480b0cab92e3e0580849d5c38f6944c3d993de8b005f7cdc1e553950f08935c2c4998e7
-
SSDEEP
3072:bJ8zuk81dui/j6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnReP2+x7b:bNkuZ/j6MB8MhjwszeXmr8Sj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlofejig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oglgji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niilmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhmnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olclimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfaachpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fniikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqmqkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeicenni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmnbjill.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apphpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgglcqdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfnik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeaqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iognjojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doclijgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahijpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehbgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopldl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclfpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegalaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olobcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcjkbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiahpkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emogdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odqiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadnlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfnen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkinfjan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkgeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlqemal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpegdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chafpfqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enjcfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enomam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haadlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihinkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgmglin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkchkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afaieb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcgaoka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnchd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkldli32.exe -
Executes dropped EXE 64 IoCs
pid Process 2404 Lpjiik32.exe 2832 Lcmopepp.exe 2876 Mnilfc32.exe 2112 Mkmmpg32.exe 2632 Mfijfdca.exe 2060 Mgigpgkd.exe 1628 Nfppfcmj.exe 1640 Nloedjin.exe 2024 Onehadbj.exe 2672 Olobcm32.exe 2560 Phhonn32.exe 1668 Plfhdlfb.exe 1968 Pknakhig.exe 2420 Qajfmbna.exe 1676 Qlcgmpkp.exe 892 Afqeaemk.exe 1488 Ahdkhp32.exe 1040 Bdklnq32.exe 912 Bfqaph32.exe 1588 Boifinfg.exe 1600 Conpdm32.exe 1708 Ckgmon32.exe 904 Cjngej32.exe 704 Dgbgon32.exe 108 Dckdio32.exe 768 Dmcibdad.exe 1520 Dimfmeef.exe 2720 Ebekej32.exe 2204 Ebghkjjc.exe 2952 Emceag32.exe 2936 Fkjbpkag.exe 2676 Fgqcel32.exe 2068 Fialggcl.exe 2480 Fhfihd32.exe 616 Gkgbioee.exe 2916 Gacgli32.exe 2712 Gafcahil.exe 2932 Glpdbfek.exe 2904 Hggeeo32.exe 1744 Hcnfjpib.exe 2252 Hkiknb32.exe 2276 Hmighemp.exe 1964 Hbepplkh.exe 592 Hnlqemal.exe 2244 Hgeenb32.exe 2292 Iamjghnm.exe 1448 Ikbndqnc.exe 564 Iekbmfdc.exe 2236 Incgfl32.exe 1452 Iimhfj32.exe 2692 Ibeloo32.exe 2716 Ipimic32.exe 2820 Jplinckj.exe 2772 Jlbjcd32.exe 2784 Jekoljgo.exe 1644 Jbooen32.exe 2324 Jlgcncli.exe 2456 Jhndcd32.exe 2988 Jmkmlk32.exe 2228 Kmmiaknb.exe 2484 Kbjbibli.exe 1072 Kpnbcfkc.exe 2172 Kifgllbc.exe 2168 Kocodbpk.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 c425b25588c88bcb70b5e76164a2a7b0N.exe 2240 c425b25588c88bcb70b5e76164a2a7b0N.exe 2404 Lpjiik32.exe 2404 Lpjiik32.exe 2832 Lcmopepp.exe 2832 Lcmopepp.exe 2876 Mnilfc32.exe 2876 Mnilfc32.exe 2112 Mkmmpg32.exe 2112 Mkmmpg32.exe 2632 Mfijfdca.exe 2632 Mfijfdca.exe 2060 Mgigpgkd.exe 2060 Mgigpgkd.exe 1628 Nfppfcmj.exe 1628 Nfppfcmj.exe 1640 Nloedjin.exe 1640 Nloedjin.exe 2024 Onehadbj.exe 2024 Onehadbj.exe 2672 Olobcm32.exe 2672 Olobcm32.exe 2560 Phhonn32.exe 2560 Phhonn32.exe 1668 Plfhdlfb.exe 1668 Plfhdlfb.exe 1968 Pknakhig.exe 1968 Pknakhig.exe 2420 Qajfmbna.exe 2420 Qajfmbna.exe 1676 Qlcgmpkp.exe 1676 Qlcgmpkp.exe 892 Afqeaemk.exe 892 Afqeaemk.exe 1488 Ahdkhp32.exe 1488 Ahdkhp32.exe 1040 Bdklnq32.exe 1040 Bdklnq32.exe 912 Bfqaph32.exe 912 Bfqaph32.exe 1588 Boifinfg.exe 1588 Boifinfg.exe 1600 Conpdm32.exe 1600 Conpdm32.exe 1708 Ckgmon32.exe 1708 Ckgmon32.exe 904 Cjngej32.exe 904 Cjngej32.exe 704 Dgbgon32.exe 704 Dgbgon32.exe 108 Dckdio32.exe 108 Dckdio32.exe 768 Dmcibdad.exe 768 Dmcibdad.exe 1520 Dimfmeef.exe 1520 Dimfmeef.exe 2720 Ebekej32.exe 2720 Ebekej32.exe 2204 Ebghkjjc.exe 2204 Ebghkjjc.exe 2952 Emceag32.exe 2952 Emceag32.exe 2936 Fkjbpkag.exe 2936 Fkjbpkag.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gphokhco.exe Gfpkbbmo.exe File created C:\Windows\SysWOW64\Hfkdpp32.dll Ecnbpcje.exe File opened for modification C:\Windows\SysWOW64\Afgoem32.exe Aomghchl.exe File opened for modification C:\Windows\SysWOW64\Eehpoaaf.exe Eeecibci.exe File created C:\Windows\SysWOW64\Libofaja.dll Cfdflfjk.exe File created C:\Windows\SysWOW64\Jgknok32.dll Glpdbfek.exe File opened for modification C:\Windows\SysWOW64\Denglpkc.exe Djibogkn.exe File created C:\Windows\SysWOW64\Ldamfd32.dll Chigmlml.exe File created C:\Windows\SysWOW64\Lcpaag32.exe Klclom32.exe File opened for modification C:\Windows\SysWOW64\Leebcm32.exe Linanl32.exe File opened for modification C:\Windows\SysWOW64\Fipenn32.exe Fokqae32.exe File created C:\Windows\SysWOW64\Mfihbo32.dll Dippfplg.exe File opened for modification C:\Windows\SysWOW64\Bfgikgjq.exe Bmndbb32.exe File opened for modification C:\Windows\SysWOW64\Mmdlqa32.exe Mdmdpd32.exe File created C:\Windows\SysWOW64\Ceiadj32.exe Cbkdhohk.exe File created C:\Windows\SysWOW64\Gpeqpl32.dll Pijjhf32.exe File created C:\Windows\SysWOW64\Kcbmea32.dll Cmdonf32.exe File created C:\Windows\SysWOW64\Cmmfab32.dll Cjbpoeoj.exe File created C:\Windows\SysWOW64\Neoejnjj.dll Mcpmonea.exe File created C:\Windows\SysWOW64\Haafepbn.exe Hcnfllcd.exe File created C:\Windows\SysWOW64\Olfgom32.dll Hmhgjahb.exe File created C:\Windows\SysWOW64\Chmpicbd.exe Bkiopock.exe File created C:\Windows\SysWOW64\Mfijfdca.exe Mkmmpg32.exe File created C:\Windows\SysWOW64\Hkfgnldd.exe Hkdkhl32.exe File created C:\Windows\SysWOW64\Jgnjof32.exe Iocekd32.exe File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe Njmejaqb.exe File created C:\Windows\SysWOW64\Egjdphbc.dll Ifecen32.exe File opened for modification C:\Windows\SysWOW64\Inkimc32.exe Hfpehq32.exe File opened for modification C:\Windows\SysWOW64\Adagjagp.exe Ahkgeq32.exe File created C:\Windows\SysWOW64\Pjopen32.dll Nloedjin.exe File opened for modification C:\Windows\SysWOW64\Fkjbpkag.exe Emceag32.exe File created C:\Windows\SysWOW64\Abgeiaaf.exe Aahhoo32.exe File opened for modification C:\Windows\SysWOW64\Bfmlif32.exe Bapcaocc.exe File opened for modification C:\Windows\SysWOW64\Khbmqpii.exe Kojihjbi.exe File opened for modification C:\Windows\SysWOW64\Lhofpm32.exe Llhejldh.exe File created C:\Windows\SysWOW64\Fopilf32.dll c425b25588c88bcb70b5e76164a2a7b0N.exe File opened for modification C:\Windows\SysWOW64\Iopeagip.exe Iegaha32.exe File opened for modification C:\Windows\SysWOW64\Pmcjceam.exe Palincli.exe File opened for modification C:\Windows\SysWOW64\Jgmnhojl.exe Japfphle.exe File opened for modification C:\Windows\SysWOW64\Edenlp32.exe Ehnmgo32.exe File created C:\Windows\SysWOW64\Lglkjjlo.dll Aeokdn32.exe File created C:\Windows\SysWOW64\Dfqjible.exe Dmhfpmee.exe File opened for modification C:\Windows\SysWOW64\Lbmknipc.exe Ljafifbh.exe File created C:\Windows\SysWOW64\Dcmfioph.dll Bbdakh32.exe File opened for modification C:\Windows\SysWOW64\Dldndf32.exe Dclikp32.exe File created C:\Windows\SysWOW64\Aclfigao.exe Aqkmgl32.exe File opened for modification C:\Windows\SysWOW64\Jmafocbb.exe Jakejb32.exe File opened for modification C:\Windows\SysWOW64\Nclfpg32.exe Ncjijhch.exe File created C:\Windows\SysWOW64\Angohn32.dll Jdhmel32.exe File opened for modification C:\Windows\SysWOW64\Nlfdjphd.exe Ndkoemji.exe File created C:\Windows\SysWOW64\Lgpeeidl.dll Mnkdlagc.exe File opened for modification C:\Windows\SysWOW64\Majdkifd.exe Mpjgag32.exe File created C:\Windows\SysWOW64\Mpmfjm32.dll Eilodk32.exe File created C:\Windows\SysWOW64\Kldaqhdq.dll Kodhbe32.exe File opened for modification C:\Windows\SysWOW64\Dnqkammo.exe Dlboeanl.exe File created C:\Windows\SysWOW64\Fhfbmn32.exe Fdhigo32.exe File created C:\Windows\SysWOW64\Bdnnogfm.dll Majdkifd.exe File created C:\Windows\SysWOW64\Holqbipe.exe Gbhpidak.exe File created C:\Windows\SysWOW64\Ilpaqmkg.exe Ibglhhdf.exe File opened for modification C:\Windows\SysWOW64\Cfdflfjk.exe Chqfbbka.exe File created C:\Windows\SysWOW64\Bklifdmh.dll Aahhoo32.exe File created C:\Windows\SysWOW64\Lhofpm32.exe Llhejldh.exe File created C:\Windows\SysWOW64\Dfoplkel.exe Cflcglho.exe File created C:\Windows\SysWOW64\Kihcakpa.exe Kocodbpk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2964 3656 Process not Found 1058 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olclimif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benbbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpbklpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbpii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifgllbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehlbihg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmemih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbdbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palincli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkmnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhgkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giljinne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfllcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clcghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpdiifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoobkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadeaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqiakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghpgbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgablmfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ellfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmonea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlebog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blejgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpgae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldeakgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enomam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haadlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdgaflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokqae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anebhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqodho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babpgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmoafph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emceag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcfpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgeedno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dccgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmoone32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgpqjqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likbap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhqbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplhfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiibqdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnfof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmnmk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgfio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckalkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehcikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icgkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddifg32.dll" Hbepplkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eained32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbgknc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmcdjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgebcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefhnhpc.dll" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkchahn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okabeg32.dll" Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oknqkmgf.dll" Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oinbglkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodejhfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lccdamop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccehgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njhhiiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdqfnhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolffjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apgnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibghnjnm.dll" Dhqnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiaiih32.dll" Gcnleahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfhb32.dll" Jbnogjqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omddohbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnenmfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbinipg.dll" Ccehgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Licpki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Megkgpaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plnkkccp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llagegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflfidpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpboi32.dll" Adagjagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhckjdc.dll" Hlbooaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fniikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklljn32.dll" Bqhffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbfndggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piiekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfaachpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emgpiigp.dll" Hcmoafph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamqahed.dll" Jkeialfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfqmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgpmbmbl.dll" Qofjmnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmpmppn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Annpaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giiibqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbbpj32.dll" Pabidiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efolib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fknido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cloaof32.dll" Mmolll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jankcafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmkigb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2404 2240 c425b25588c88bcb70b5e76164a2a7b0N.exe 29 PID 2240 wrote to memory of 2404 2240 c425b25588c88bcb70b5e76164a2a7b0N.exe 29 PID 2240 wrote to memory of 2404 2240 c425b25588c88bcb70b5e76164a2a7b0N.exe 29 PID 2240 wrote to memory of 2404 2240 c425b25588c88bcb70b5e76164a2a7b0N.exe 29 PID 2404 wrote to memory of 2832 2404 Lpjiik32.exe 30 PID 2404 wrote to memory of 2832 2404 Lpjiik32.exe 30 PID 2404 wrote to memory of 2832 2404 Lpjiik32.exe 30 PID 2404 wrote to memory of 2832 2404 Lpjiik32.exe 30 PID 2832 wrote to memory of 2876 2832 Lcmopepp.exe 31 PID 2832 wrote to memory of 2876 2832 Lcmopepp.exe 31 PID 2832 wrote to memory of 2876 2832 Lcmopepp.exe 31 PID 2832 wrote to memory of 2876 2832 Lcmopepp.exe 31 PID 2876 wrote to memory of 2112 2876 Mnilfc32.exe 32 PID 2876 wrote to memory of 2112 2876 Mnilfc32.exe 32 PID 2876 wrote to memory of 2112 2876 Mnilfc32.exe 32 PID 2876 wrote to memory of 2112 2876 Mnilfc32.exe 32 PID 2112 wrote to memory of 2632 2112 Mkmmpg32.exe 33 PID 2112 wrote to memory of 2632 2112 Mkmmpg32.exe 33 PID 2112 wrote to memory of 2632 2112 Mkmmpg32.exe 33 PID 2112 wrote to memory of 2632 2112 Mkmmpg32.exe 33 PID 2632 wrote to memory of 2060 2632 Mfijfdca.exe 34 PID 2632 wrote to memory of 2060 2632 Mfijfdca.exe 34 PID 2632 wrote to memory of 2060 2632 Mfijfdca.exe 34 PID 2632 wrote to memory of 2060 2632 Mfijfdca.exe 34 PID 2060 wrote to memory of 1628 2060 Mgigpgkd.exe 35 PID 2060 wrote to memory of 1628 2060 Mgigpgkd.exe 35 PID 2060 wrote to memory of 1628 2060 Mgigpgkd.exe 35 PID 2060 wrote to memory of 1628 2060 Mgigpgkd.exe 35 PID 1628 wrote to memory of 1640 1628 Nfppfcmj.exe 36 PID 1628 wrote to memory of 1640 1628 Nfppfcmj.exe 36 PID 1628 wrote to memory of 1640 1628 Nfppfcmj.exe 36 PID 1628 wrote to memory of 1640 1628 Nfppfcmj.exe 36 PID 1640 wrote to memory of 2024 1640 Nloedjin.exe 37 PID 1640 wrote to memory of 2024 1640 Nloedjin.exe 37 PID 1640 wrote to memory of 2024 1640 Nloedjin.exe 37 PID 1640 wrote to memory of 2024 1640 Nloedjin.exe 37 PID 2024 wrote to memory of 2672 2024 Onehadbj.exe 38 PID 2024 wrote to memory of 2672 2024 Onehadbj.exe 38 PID 2024 wrote to memory of 2672 2024 Onehadbj.exe 38 PID 2024 wrote to memory of 2672 2024 Onehadbj.exe 38 PID 2672 wrote to memory of 2560 2672 Olobcm32.exe 39 PID 2672 wrote to memory of 2560 2672 Olobcm32.exe 39 PID 2672 wrote to memory of 2560 2672 Olobcm32.exe 39 PID 2672 wrote to memory of 2560 2672 Olobcm32.exe 39 PID 2560 wrote to memory of 1668 2560 Phhonn32.exe 40 PID 2560 wrote to memory of 1668 2560 Phhonn32.exe 40 PID 2560 wrote to memory of 1668 2560 Phhonn32.exe 40 PID 2560 wrote to memory of 1668 2560 Phhonn32.exe 40 PID 1668 wrote to memory of 1968 1668 Plfhdlfb.exe 41 PID 1668 wrote to memory of 1968 1668 Plfhdlfb.exe 41 PID 1668 wrote to memory of 1968 1668 Plfhdlfb.exe 41 PID 1668 wrote to memory of 1968 1668 Plfhdlfb.exe 41 PID 1968 wrote to memory of 2420 1968 Pknakhig.exe 42 PID 1968 wrote to memory of 2420 1968 Pknakhig.exe 42 PID 1968 wrote to memory of 2420 1968 Pknakhig.exe 42 PID 1968 wrote to memory of 2420 1968 Pknakhig.exe 42 PID 2420 wrote to memory of 1676 2420 Qajfmbna.exe 43 PID 2420 wrote to memory of 1676 2420 Qajfmbna.exe 43 PID 2420 wrote to memory of 1676 2420 Qajfmbna.exe 43 PID 2420 wrote to memory of 1676 2420 Qajfmbna.exe 43 PID 1676 wrote to memory of 892 1676 Qlcgmpkp.exe 44 PID 1676 wrote to memory of 892 1676 Qlcgmpkp.exe 44 PID 1676 wrote to memory of 892 1676 Qlcgmpkp.exe 44 PID 1676 wrote to memory of 892 1676 Qlcgmpkp.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c425b25588c88bcb70b5e76164a2a7b0N.exe"C:\Users\Admin\AppData\Local\Temp\c425b25588c88bcb70b5e76164a2a7b0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Mkmmpg32.exeC:\Windows\system32\Mkmmpg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Bfqaph32.exeC:\Windows\system32\Bfqaph32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Dgbgon32.exeC:\Windows\system32\Dgbgon32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Dckdio32.exeC:\Windows\system32\Dckdio32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe33⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe34⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe35⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe36⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe37⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe38⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe40⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe41⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe43⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe46⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Iamjghnm.exeC:\Windows\system32\Iamjghnm.exe47⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe49⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Iimhfj32.exeC:\Windows\system32\Iimhfj32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Jlbjcd32.exeC:\Windows\system32\Jlbjcd32.exe55⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe56⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jbooen32.exeC:\Windows\system32\Jbooen32.exe57⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Jlgcncli.exeC:\Windows\system32\Jlgcncli.exe58⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe61⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe62⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Kpnbcfkc.exeC:\Windows\system32\Kpnbcfkc.exe63⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Kcahjqfa.exeC:\Windows\system32\Kcahjqfa.exe67⤵PID:1140
-
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe68⤵PID:264
-
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe69⤵PID:2080
-
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe70⤵PID:1636
-
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe71⤵PID:2532
-
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe72⤵PID:2540
-
C:\Windows\SysWOW64\Niilmi32.exeC:\Windows\system32\Niilmi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe74⤵PID:2728
-
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe75⤵PID:2660
-
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe76⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe77⤵PID:2680
-
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe79⤵PID:1860
-
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe80⤵PID:2960
-
C:\Windows\SysWOW64\Obopobhe.exeC:\Windows\system32\Obopobhe.exe81⤵PID:960
-
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe82⤵PID:1076
-
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe83⤵PID:2232
-
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe84⤵PID:2432
-
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe85⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe86⤵PID:940
-
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe87⤵PID:528
-
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe88⤵PID:2120
-
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe90⤵PID:2056
-
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe91⤵
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe93⤵PID:2992
-
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe94⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe95⤵PID:2568
-
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe97⤵PID:2224
-
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe98⤵PID:1264
-
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe99⤵PID:2440
-
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe100⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe101⤵PID:2588
-
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe102⤵PID:932
-
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe103⤵PID:1592
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe104⤵PID:920
-
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe105⤵PID:1552
-
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe106⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe107⤵PID:2688
-
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe108⤵PID:2948
-
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe109⤵PID:1080
-
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe111⤵PID:2316
-
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe112⤵PID:1344
-
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe114⤵PID:2444
-
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe115⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe116⤵PID:2132
-
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe117⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe118⤵PID:936
-
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe119⤵PID:1660
-
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe120⤵PID:1300
-
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe121⤵PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-