Analysis
-
max time kernel
111s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
765165a1d462e477523d6f39315a88f0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
765165a1d462e477523d6f39315a88f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
765165a1d462e477523d6f39315a88f0N.exe
-
Size
182KB
-
MD5
765165a1d462e477523d6f39315a88f0
-
SHA1
19078eb4091fb7124c23b4800d53c7e62a8442d4
-
SHA256
319257eb4b70392658f7b5f83eb2f20622e9554d3408d273e89b0f444a9fefde
-
SHA512
5a2579f40ed14ef410e785780982135910c9c89c7220a99a112891b4a67052ad664b90264f68d1d00c8fb73fe46dad503a21a68685e41d9623fa845879309fb3
-
SSDEEP
3072:oehBQM+oC2LwvwSoYD/WHfX/rP3lLBsLnVUUHyNwtN4/nEBlMdQ94V5AlL/x5RlH:XPQmLwvwSoYyHfTPqUUHyN4lMdQ94vAR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjikaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajiok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfljm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmehqna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphmfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naokbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpihnbmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebgoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caqfiloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgelahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbjgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfjjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfgke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjdbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiaaaicm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjjifji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegbce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhcdhmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhdfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhmfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjoaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjenkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaeiqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaoddodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnbklji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccaipaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqbbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaogbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppegdapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amebjgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdkllec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljcflbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgqoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalnmahf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgdpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicipgqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpmkgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdljghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgfml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaamhb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Ihlpqonl.exe 2948 Iljifm32.exe 2704 Iplnpq32.exe 2872 Jjilde32.exe 2708 Jofdll32.exe 2552 Jjneoeeh.exe 1620 Komjmk32.exe 2792 Kgjlgm32.exe 2024 Kcamln32.exe 1356 Lqgjkbop.exe 2880 Lffohikd.exe 552 Lbplciof.exe 2148 Laeidfdn.exe 2408 Mcfbfaao.exe 1744 Mjbghkfi.exe 1776 Mdmhfpkg.exe 1324 Nilndfgl.exe 2572 Nhakecld.exe 2380 Naionh32.exe 928 Nmbmii32.exe 780 Ngkaaolf.exe 2656 Ogmngn32.exe 1556 Odanqb32.exe 1932 Ogbgbn32.exe 2308 Oegdcj32.exe 1764 Panehkaj.exe 1600 Pcmabnhm.exe 2420 Phjjkefd.exe 2884 Qckalamk.exe 2132 Amebjgai.exe 2832 Amhopfof.exe 2924 Abgdnm32.exe 1512 Akphfbbl.exe 3060 Aicipgqe.exe 2260 Bnbnnm32.exe 1732 Bjiobnbn.exe 3004 Bpfgke32.exe 1836 Bphdpe32.exe 1212 Bpkqfdmp.exe 1044 Ciebdj32.exe 368 Caqfiloi.exe 2664 Cjikaa32.exe 1368 Ckkhga32.exe 1664 Chohqebq.exe 2608 Dfdeab32.exe 864 Dajiok32.exe 1916 Diencmcj.exe 2636 Dbnblb32.exe 2324 Dihkimag.exe 1768 Dcpoab32.exe 2256 Dpdpkfga.exe 2788 Deahcneh.exe 1888 Eoimlc32.exe 484 Ehaaei32.exe 2768 Edhbjjhn.exe 960 Ekbjgd32.exe 2196 Ehfkphnd.exe 2020 Ekdglcmh.exe 1628 Epdljjjm.exe 3000 Flkmokoa.exe 2188 Fgbnbcmd.exe 112 Fqkbkicd.exe 2180 Fkdckgpc.exe 2236 Fdmgdl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2780 765165a1d462e477523d6f39315a88f0N.exe 2780 765165a1d462e477523d6f39315a88f0N.exe 2888 Ihlpqonl.exe 2888 Ihlpqonl.exe 2948 Iljifm32.exe 2948 Iljifm32.exe 2704 Iplnpq32.exe 2704 Iplnpq32.exe 2872 Jjilde32.exe 2872 Jjilde32.exe 2708 Jofdll32.exe 2708 Jofdll32.exe 2552 Jjneoeeh.exe 2552 Jjneoeeh.exe 1620 Komjmk32.exe 1620 Komjmk32.exe 2792 Kgjlgm32.exe 2792 Kgjlgm32.exe 2024 Kcamln32.exe 2024 Kcamln32.exe 1356 Lqgjkbop.exe 1356 Lqgjkbop.exe 2880 Lffohikd.exe 2880 Lffohikd.exe 552 Lbplciof.exe 552 Lbplciof.exe 2148 Laeidfdn.exe 2148 Laeidfdn.exe 2408 Mcfbfaao.exe 2408 Mcfbfaao.exe 1744 Mjbghkfi.exe 1744 Mjbghkfi.exe 1776 Mdmhfpkg.exe 1776 Mdmhfpkg.exe 1324 Nilndfgl.exe 1324 Nilndfgl.exe 2572 Nhakecld.exe 2572 Nhakecld.exe 2380 Naionh32.exe 2380 Naionh32.exe 928 Nmbmii32.exe 928 Nmbmii32.exe 780 Ngkaaolf.exe 780 Ngkaaolf.exe 2656 Ogmngn32.exe 2656 Ogmngn32.exe 1556 Odanqb32.exe 1556 Odanqb32.exe 1932 Ogbgbn32.exe 1932 Ogbgbn32.exe 2308 Oegdcj32.exe 2308 Oegdcj32.exe 1764 Panehkaj.exe 1764 Panehkaj.exe 1600 Pcmabnhm.exe 1600 Pcmabnhm.exe 2420 Phjjkefd.exe 2420 Phjjkefd.exe 2884 Qckalamk.exe 2884 Qckalamk.exe 2132 Amebjgai.exe 2132 Amebjgai.exe 2832 Amhopfof.exe 2832 Amhopfof.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Akhndf32.exe Amdmkb32.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Klgpmgod.exe File created C:\Windows\SysWOW64\Blhphg32.dll Lamkllea.exe File created C:\Windows\SysWOW64\Epjdbn32.exe Efbpihoo.exe File created C:\Windows\SysWOW64\Nmbmii32.exe Naionh32.exe File created C:\Windows\SysWOW64\Fgbnbcmd.exe Flkmokoa.exe File opened for modification C:\Windows\SysWOW64\Mbhlgg32.exe Mcbofk32.exe File created C:\Windows\SysWOW64\Lageje32.dll Gnoaliln.exe File created C:\Windows\SysWOW64\Opcboqhc.dll Mhbflj32.exe File created C:\Windows\SysWOW64\Mfeiad32.dll Cjfjjd32.exe File created C:\Windows\SysWOW64\Jnenmnck.dll Bnkpjd32.exe File created C:\Windows\SysWOW64\Iqmcmaja.exe Igdndl32.exe File created C:\Windows\SysWOW64\Kfpamb32.dll Immkiodb.exe File created C:\Windows\SysWOW64\Agnbbk32.dll Ddnhidmm.exe File created C:\Windows\SysWOW64\Odecpkqa.dll Iagchmjn.exe File created C:\Windows\SysWOW64\Kcdljghj.exe Kkigfdjo.exe File created C:\Windows\SysWOW64\Gqcaoghl.exe Fqnhcgma.exe File opened for modification C:\Windows\SysWOW64\Djcpqidc.exe Dmopge32.exe File created C:\Windows\SysWOW64\Mkdfdn32.dll Emilqb32.exe File created C:\Windows\SysWOW64\Hdailaib.exe Hdolga32.exe File created C:\Windows\SysWOW64\Jidngh32.exe Jiaaaicm.exe File created C:\Windows\SysWOW64\Fdhigo32.exe Flmecm32.exe File created C:\Windows\SysWOW64\Ikpmge32.dll Bjiobnbn.exe File opened for modification C:\Windows\SysWOW64\Hlnbqijd.exe Hfajhblm.exe File created C:\Windows\SysWOW64\Dahgqohh.dll Kkigfdjo.exe File created C:\Windows\SysWOW64\Eminngdn.dll Qfifmghc.exe File created C:\Windows\SysWOW64\Nlmiojla.exe Nfppfcmj.exe File created C:\Windows\SysWOW64\Ekmmmb32.dll Gjahfkfg.exe File opened for modification C:\Windows\SysWOW64\Hedllgjk.exe Hbccklmj.exe File opened for modification C:\Windows\SysWOW64\Ngkaaolf.exe Nmbmii32.exe File created C:\Windows\SysWOW64\Aicipgqe.exe Akphfbbl.exe File created C:\Windows\SysWOW64\Gfcgfabf.dll Bphdpe32.exe File created C:\Windows\SysWOW64\Jmfgkqba.dll Pllhib32.exe File created C:\Windows\SysWOW64\Kkajkoml.exe Kbjbibli.exe File opened for modification C:\Windows\SysWOW64\Jaffca32.exe Jhnbklji.exe File created C:\Windows\SysWOW64\Obakli32.exe Oiifcdhn.exe File opened for modification C:\Windows\SysWOW64\Ipameehe.exe Icjmpd32.exe File opened for modification C:\Windows\SysWOW64\Gilhpe32.exe Glhhgahg.exe File created C:\Windows\SysWOW64\Nikofcfm.dll Dkfcqo32.exe File created C:\Windows\SysWOW64\Nbbhpegc.exe Mflgkd32.exe File opened for modification C:\Windows\SysWOW64\Qbkljd32.exe Qeglqpaj.exe File created C:\Windows\SysWOW64\Bhqdgm32.exe Bnkpjd32.exe File created C:\Windows\SysWOW64\Kjpmmd32.dll Cdjabn32.exe File created C:\Windows\SysWOW64\Npbcjjnl.dll Jjilde32.exe File opened for modification C:\Windows\SysWOW64\Abgdnm32.exe Amhopfof.exe File opened for modification C:\Windows\SysWOW64\Njcibgcf.exe Npneeocq.exe File created C:\Windows\SysWOW64\Eceiinfd.dll Oojhfj32.exe File created C:\Windows\SysWOW64\Ppicdhan.dll Bbolge32.exe File created C:\Windows\SysWOW64\Glhhgahg.exe Fangfcki.exe File created C:\Windows\SysWOW64\Lnopmegg.exe Lhbhdnio.exe File opened for modification C:\Windows\SysWOW64\Pllhib32.exe Ppegdapd.exe File opened for modification C:\Windows\SysWOW64\Bmgddcnf.exe Bkghjq32.exe File opened for modification C:\Windows\SysWOW64\Plfhdlfb.exe Ppogok32.exe File opened for modification C:\Windows\SysWOW64\Pfaopc32.exe Ppejmj32.exe File opened for modification C:\Windows\SysWOW64\Bfkobj32.exe Aqgqid32.exe File created C:\Windows\SysWOW64\Npdlphmj.dll Goodpb32.exe File created C:\Windows\SysWOW64\Bfmkge32.dll Dcfknooi.exe File created C:\Windows\SysWOW64\Jlgcncli.exe Jocceo32.exe File opened for modification C:\Windows\SysWOW64\Iabcbg32.exe Igioiacg.exe File created C:\Windows\SysWOW64\Nghehm32.dll Phckglbq.exe File opened for modification C:\Windows\SysWOW64\Eodknifb.exe Efifjg32.exe File created C:\Windows\SysWOW64\Ckkhga32.exe Cjikaa32.exe File created C:\Windows\SysWOW64\Ceoagcld.exe Cihqbb32.exe File created C:\Windows\SysWOW64\Dbcnpk32.exe Deonff32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2164 4432 WerFault.exe 417 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbhdnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqekkob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknjidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicipgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeglqpaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhbjjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofdll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbolge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjfpkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjfflkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoegoqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdglcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdolga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omoehf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765165a1d462e477523d6f39315a88f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkomepon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdailaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqhadmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abachg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqhjdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnbqijd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbadifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieobaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgcncli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emilqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqfmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmgho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcnfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkdca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankckagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiifcdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkakbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odanqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goodpb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiiaq32.dll" Omoehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epqhjdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmicb32.dll" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhmm32.dll" Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmmmb32.dll" Gjahfkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckamihfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbapjpfp.dll" Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgklh32.dll" Ggdfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kocodbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnleckl.dll" Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkcpmmb.dll" Panehkaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdckgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijghmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmciiok.dll" Imhanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicoednb.dll" Kgjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkimli32.dll" Npneeocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelpdef.dll" Fpihnbmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbhgfqec.dll" Akhndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplnpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagbnnje.dll" Mnilfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblaal32.dll" Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebiefle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaejddnk.dll" Mjbghkfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifcbme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pglclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fompem32.dll" Epbamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdfmccfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfnaj32.dll" Deahcneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcangac.dll" Maabcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahioobed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjoqmd32.dll" Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opmaii32.dll" Hdolga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqopmbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeckf32.dll" Dlcfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejqea32.dll" Dfdeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqibb32.dll" Ehaaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logcad32.dll" Mibdcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efghmkeb.dll" Gdfmccfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchqamfp.dll" Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmdelbi.dll" Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmflaaok.dll" Dmiihjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnlmn32.dll" Hjmolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjiik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Ndnplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" Dcpoab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlklik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fangfcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhhgahg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2888 2780 765165a1d462e477523d6f39315a88f0N.exe 30 PID 2780 wrote to memory of 2888 2780 765165a1d462e477523d6f39315a88f0N.exe 30 PID 2780 wrote to memory of 2888 2780 765165a1d462e477523d6f39315a88f0N.exe 30 PID 2780 wrote to memory of 2888 2780 765165a1d462e477523d6f39315a88f0N.exe 30 PID 2888 wrote to memory of 2948 2888 Ihlpqonl.exe 31 PID 2888 wrote to memory of 2948 2888 Ihlpqonl.exe 31 PID 2888 wrote to memory of 2948 2888 Ihlpqonl.exe 31 PID 2888 wrote to memory of 2948 2888 Ihlpqonl.exe 31 PID 2948 wrote to memory of 2704 2948 Iljifm32.exe 32 PID 2948 wrote to memory of 2704 2948 Iljifm32.exe 32 PID 2948 wrote to memory of 2704 2948 Iljifm32.exe 32 PID 2948 wrote to memory of 2704 2948 Iljifm32.exe 32 PID 2704 wrote to memory of 2872 2704 Iplnpq32.exe 33 PID 2704 wrote to memory of 2872 2704 Iplnpq32.exe 33 PID 2704 wrote to memory of 2872 2704 Iplnpq32.exe 33 PID 2704 wrote to memory of 2872 2704 Iplnpq32.exe 33 PID 2872 wrote to memory of 2708 2872 Jjilde32.exe 34 PID 2872 wrote to memory of 2708 2872 Jjilde32.exe 34 PID 2872 wrote to memory of 2708 2872 Jjilde32.exe 34 PID 2872 wrote to memory of 2708 2872 Jjilde32.exe 34 PID 2708 wrote to memory of 2552 2708 Jofdll32.exe 35 PID 2708 wrote to memory of 2552 2708 Jofdll32.exe 35 PID 2708 wrote to memory of 2552 2708 Jofdll32.exe 35 PID 2708 wrote to memory of 2552 2708 Jofdll32.exe 35 PID 2552 wrote to memory of 1620 2552 Jjneoeeh.exe 36 PID 2552 wrote to memory of 1620 2552 Jjneoeeh.exe 36 PID 2552 wrote to memory of 1620 2552 Jjneoeeh.exe 36 PID 2552 wrote to memory of 1620 2552 Jjneoeeh.exe 36 PID 1620 wrote to memory of 2792 1620 Komjmk32.exe 37 PID 1620 wrote to memory of 2792 1620 Komjmk32.exe 37 PID 1620 wrote to memory of 2792 1620 Komjmk32.exe 37 PID 1620 wrote to memory of 2792 1620 Komjmk32.exe 37 PID 2792 wrote to memory of 2024 2792 Kgjlgm32.exe 38 PID 2792 wrote to memory of 2024 2792 Kgjlgm32.exe 38 PID 2792 wrote to memory of 2024 2792 Kgjlgm32.exe 38 PID 2792 wrote to memory of 2024 2792 Kgjlgm32.exe 38 PID 2024 wrote to memory of 1356 2024 Kcamln32.exe 39 PID 2024 wrote to memory of 1356 2024 Kcamln32.exe 39 PID 2024 wrote to memory of 1356 2024 Kcamln32.exe 39 PID 2024 wrote to memory of 1356 2024 Kcamln32.exe 39 PID 1356 wrote to memory of 2880 1356 Lqgjkbop.exe 40 PID 1356 wrote to memory of 2880 1356 Lqgjkbop.exe 40 PID 1356 wrote to memory of 2880 1356 Lqgjkbop.exe 40 PID 1356 wrote to memory of 2880 1356 Lqgjkbop.exe 40 PID 2880 wrote to memory of 552 2880 Lffohikd.exe 41 PID 2880 wrote to memory of 552 2880 Lffohikd.exe 41 PID 2880 wrote to memory of 552 2880 Lffohikd.exe 41 PID 2880 wrote to memory of 552 2880 Lffohikd.exe 41 PID 552 wrote to memory of 2148 552 Lbplciof.exe 42 PID 552 wrote to memory of 2148 552 Lbplciof.exe 42 PID 552 wrote to memory of 2148 552 Lbplciof.exe 42 PID 552 wrote to memory of 2148 552 Lbplciof.exe 42 PID 2148 wrote to memory of 2408 2148 Laeidfdn.exe 43 PID 2148 wrote to memory of 2408 2148 Laeidfdn.exe 43 PID 2148 wrote to memory of 2408 2148 Laeidfdn.exe 43 PID 2148 wrote to memory of 2408 2148 Laeidfdn.exe 43 PID 2408 wrote to memory of 1744 2408 Mcfbfaao.exe 44 PID 2408 wrote to memory of 1744 2408 Mcfbfaao.exe 44 PID 2408 wrote to memory of 1744 2408 Mcfbfaao.exe 44 PID 2408 wrote to memory of 1744 2408 Mcfbfaao.exe 44 PID 1744 wrote to memory of 1776 1744 Mjbghkfi.exe 45 PID 1744 wrote to memory of 1776 1744 Mjbghkfi.exe 45 PID 1744 wrote to memory of 1776 1744 Mjbghkfi.exe 45 PID 1744 wrote to memory of 1776 1744 Mjbghkfi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\765165a1d462e477523d6f39315a88f0N.exe"C:\Users\Admin\AppData\Local\Temp\765165a1d462e477523d6f39315a88f0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Pcmabnhm.exeC:\Windows\system32\Pcmabnhm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Abgdnm32.exeC:\Windows\system32\Abgdnm32.exe33⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Aicipgqe.exeC:\Windows\system32\Aicipgqe.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe36⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe40⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe41⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe44⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe45⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe48⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe49⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe50⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe52⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe54⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Edhbjjhn.exeC:\Windows\system32\Edhbjjhn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe57⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe58⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe60⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Flkmokoa.exeC:\Windows\system32\Flkmokoa.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe62⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe65⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe66⤵PID:1756
-
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe67⤵PID:920
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe69⤵
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe71⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe72⤵PID:2920
-
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe73⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe74⤵PID:2760
-
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe75⤵PID:2736
-
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe76⤵PID:2060
-
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe77⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe78⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe79⤵PID:1268
-
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe80⤵PID:2156
-
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe82⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe83⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Ifcbme32.exeC:\Windows\system32\Ifcbme32.exe84⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Immkiodb.exeC:\Windows\system32\Immkiodb.exe85⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe87⤵PID:2456
-
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe88⤵PID:1948
-
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe90⤵PID:2904
-
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Jaffca32.exeC:\Windows\system32\Jaffca32.exe92⤵PID:1176
-
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe93⤵PID:2992
-
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe95⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe96⤵PID:1996
-
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe97⤵PID:2392
-
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe98⤵
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe99⤵PID:2288
-
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe100⤵PID:1588
-
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe102⤵PID:1604
-
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe103⤵PID:2928
-
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe104⤵PID:2816
-
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe105⤵PID:840
-
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe106⤵PID:1076
-
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe107⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Mbhlgg32.exeC:\Windows\system32\Mbhlgg32.exe108⤵PID:1928
-
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe109⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe110⤵PID:1696
-
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe111⤵PID:1832
-
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe112⤵
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe113⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Nljcflbd.exeC:\Windows\system32\Nljcflbd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe117⤵PID:1680
-
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe119⤵PID:2216
-
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe120⤵PID:1640
-
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-