Analysis
-
max time kernel
60s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 01:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe
-
Size
96KB
-
MD5
ac547c1cc5fe5ef15d2087096cf80899
-
SHA1
b2ece917ce925084615123f81844051d5cd1bc3b
-
SHA256
a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea
-
SHA512
15069351f165e0e358d2d5f4a8f977683c3ccee746e696bde1f70b4376ab252e025c75ca46c75a5e053fd1f4893fbef74fd92f581ebcbd595ff9982d57f854f7
-
SSDEEP
1536:wp4moSyBapiryZQf9SimDaQHrK8hRCRF47bDLr2C63ofYxduV9jojTIvjr:wpwBapYf9SVDay/hRCRF43Axd69jc0v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obfdgiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blejgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedene32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfglocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjfgalcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdjddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcjjakip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pogaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbdje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbinc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmofbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblpae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eekdmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiglfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjikadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmnlog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echoepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqlbnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnojjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefmid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccaipaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcfak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjfdpckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfeqli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmijgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdnmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dabkla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkelcenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfonlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fleihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnjjcbiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkqdajhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phgfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adeiobgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgdafeln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocnjn32.exe -
Executes dropped EXE 64 IoCs
pid Process 1832 Jcnmme32.exe 2188 Jemiiqmh.exe 2760 Jdpidm32.exe 2640 Jlgaek32.exe 2856 Joenaf32.exe 2668 Jacjna32.exe 2224 Jdbfjm32.exe 1708 Jhnbklji.exe 2520 Jogjgf32.exe 2584 Jnjjcbiq.exe 2924 Jpigonhd.exe 1516 Jddbpmpm.exe 340 Jgbolhoa.exe 2040 Kjakhcne.exe 2780 Kahciaog.exe 2120 Kpkcdn32.exe 948 Kcipqi32.exe 1096 Kkqhbf32.exe 1496 Kjchmclb.exe 2420 Knodnb32.exe 1532 Kpmpjm32.exe 3036 Kdilkllh.exe 1788 Kcllfi32.exe 3008 Kfjibdbf.exe 2996 Knaqcabh.exe 2824 Kldaon32.exe 2800 Kobmkj32.exe 2200 Kcnilhap.exe 2292 Kfmehdpc.exe 2068 Khkadoog.exe 2836 Klfndn32.exe 2716 Kpbiempj.exe 988 Koejqi32.exe 1976 Kbcfme32.exe 1068 Kjjnnbfj.exe 2208 Khmnio32.exe 568 Kkljfj32.exe 1508 Kogffida.exe 1344 Kccbgh32.exe 1796 Lfaocc32.exe 2148 Lddoopbi.exe 640 Llkgpmck.exe 2740 Lkngkj32.exe 2872 Lojclibo.exe 1640 Lnmcge32.exe 2948 Ldfldpqf.exe 2392 Lhbhdnio.exe 1868 Lkqdajhc.exe 708 Lolpah32.exe 1684 Lnopmegg.exe 2088 Lbjlnd32.exe 2708 Ldihjo32.exe 2808 Lhddjngm.exe 1780 Lggdfk32.exe 1584 Lkcqfifp.exe 1548 Ljeabf32.exe 1916 Lnambeed.exe 2648 Lbmicc32.exe 2916 Ldkeoo32.exe 1020 Lcneklck.exe 2084 Lgiakjld.exe 932 Lkemli32.exe 3020 Ljhngfkh.exe 2272 Lncjhd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe 2540 a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe 1832 Jcnmme32.exe 1832 Jcnmme32.exe 2188 Jemiiqmh.exe 2188 Jemiiqmh.exe 2760 Jdpidm32.exe 2760 Jdpidm32.exe 2640 Jlgaek32.exe 2640 Jlgaek32.exe 2856 Joenaf32.exe 2856 Joenaf32.exe 2668 Jacjna32.exe 2668 Jacjna32.exe 2224 Jdbfjm32.exe 2224 Jdbfjm32.exe 1708 Jhnbklji.exe 1708 Jhnbklji.exe 2520 Jogjgf32.exe 2520 Jogjgf32.exe 2584 Jnjjcbiq.exe 2584 Jnjjcbiq.exe 2924 Jpigonhd.exe 2924 Jpigonhd.exe 1516 Jddbpmpm.exe 1516 Jddbpmpm.exe 340 Jgbolhoa.exe 340 Jgbolhoa.exe 2040 Kjakhcne.exe 2040 Kjakhcne.exe 2780 Kahciaog.exe 2780 Kahciaog.exe 2120 Kpkcdn32.exe 2120 Kpkcdn32.exe 948 Kcipqi32.exe 948 Kcipqi32.exe 1096 Kkqhbf32.exe 1096 Kkqhbf32.exe 1496 Kjchmclb.exe 1496 Kjchmclb.exe 2420 Knodnb32.exe 2420 Knodnb32.exe 1532 Kpmpjm32.exe 1532 Kpmpjm32.exe 3036 Kdilkllh.exe 3036 Kdilkllh.exe 1788 Kcllfi32.exe 1788 Kcllfi32.exe 3008 Kfjibdbf.exe 3008 Kfjibdbf.exe 2996 Knaqcabh.exe 2996 Knaqcabh.exe 2824 Kldaon32.exe 2824 Kldaon32.exe 2800 Kobmkj32.exe 2800 Kobmkj32.exe 2200 Kcnilhap.exe 2200 Kcnilhap.exe 2292 Kfmehdpc.exe 2292 Kfmehdpc.exe 2068 Khkadoog.exe 2068 Khkadoog.exe 2836 Klfndn32.exe 2836 Klfndn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgcdcjpf.exe Bdehgnqc.exe File created C:\Windows\SysWOW64\Cpgieb32.exe Cllmdcej.exe File opened for modification C:\Windows\SysWOW64\Gielchpp.exe Gdjpcj32.exe File created C:\Windows\SysWOW64\Opennf32.exe Oepianef.exe File opened for modification C:\Windows\SysWOW64\Aniffaim.exe Akjjifji.exe File opened for modification C:\Windows\SysWOW64\Adekhkng.exe Apjpglfn.exe File created C:\Windows\SysWOW64\Aklefm32.exe Agaifnhi.exe File created C:\Windows\SysWOW64\Aqkohg32.dll Jffakm32.exe File created C:\Windows\SysWOW64\Pahjgb32.exe Pknakhig.exe File created C:\Windows\SysWOW64\Hcjbpaea.dll Hmdnme32.exe File created C:\Windows\SysWOW64\Ahlnmjkf.exe Apeflmjc.exe File created C:\Windows\SysWOW64\Dffbcq32.dll Edfqclni.exe File created C:\Windows\SysWOW64\Hcckbeha.dll Fokaoh32.exe File created C:\Windows\SysWOW64\Jajaqnkq.dll Lncjhd32.exe File created C:\Windows\SysWOW64\Einmnkgf.dll Bfphmi32.exe File opened for modification C:\Windows\SysWOW64\Pihbbgjj.exe Pgjfflkf.exe File created C:\Windows\SysWOW64\Hmighemp.exe Hdapggln.exe File opened for modification C:\Windows\SysWOW64\Adnegldo.exe Aapikqel.exe File created C:\Windows\SysWOW64\Nmbenc32.exe Nifjnd32.exe File created C:\Windows\SysWOW64\Cedbmi32.exe Cfaaalep.exe File created C:\Windows\SysWOW64\Hjcnol32.dll Edmnnakm.exe File created C:\Windows\SysWOW64\Fialggcl.exe Fcgdjmlo.exe File created C:\Windows\SysWOW64\Lnmfpnqn.exe Lkoidcaj.exe File created C:\Windows\SysWOW64\Domffn32.exe Dlnjjc32.exe File created C:\Windows\SysWOW64\Dbmlal32.exe Doapanne.exe File opened for modification C:\Windows\SysWOW64\Pnfkheap.exe Pikohg32.exe File created C:\Windows\SysWOW64\Iaieif32.dll Agolpnjl.exe File created C:\Windows\SysWOW64\Bkghjq32.exe Bmegodpi.exe File created C:\Windows\SysWOW64\Dnhgifal.dll Dlqgob32.exe File created C:\Windows\SysWOW64\Efaglp32.dll Odaqikaa.exe File created C:\Windows\SysWOW64\Adekhkng.exe Apjpglfn.exe File created C:\Windows\SysWOW64\Lolpah32.exe Lkqdajhc.exe File created C:\Windows\SysWOW64\Aihboppa.dll Lkcqfifp.exe File opened for modification C:\Windows\SysWOW64\Hdcebagp.exe Hmlmacfn.exe File opened for modification C:\Windows\SysWOW64\Oaeacppk.exe Ofpmegpe.exe File created C:\Windows\SysWOW64\Lmiggh32.dll Bdoeipjh.exe File created C:\Windows\SysWOW64\Akfaof32.exe Ahgdbk32.exe File created C:\Windows\SysWOW64\Ndiaem32.exe Nakeib32.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Lcmopepp.exe File created C:\Windows\SysWOW64\Chekdhkl.dll Njcibgcf.exe File opened for modification C:\Windows\SysWOW64\Cnogmk32.exe Cjdkllec.exe File created C:\Windows\SysWOW64\Iqgaenpf.dll Hhhkbqea.exe File created C:\Windows\SysWOW64\Kfmegi32.dll Mmifiahi.exe File created C:\Windows\SysWOW64\Niijdq32.exe Mcghajkq.exe File opened for modification C:\Windows\SysWOW64\Cpemob32.exe Cabldeik.exe File opened for modification C:\Windows\SysWOW64\Ibpjaagi.exe Imcaijia.exe File opened for modification C:\Windows\SysWOW64\Pogaeg32.exe Phmiimlf.exe File created C:\Windows\SysWOW64\Igdndl32.exe Homfboco.exe File created C:\Windows\SysWOW64\Nhngem32.exe Ncbkenba.exe File opened for modification C:\Windows\SysWOW64\Pppnia32.exe Pamnnemo.exe File created C:\Windows\SysWOW64\Lnemfipf.dll Gnenfjdh.exe File created C:\Windows\SysWOW64\Dlicoiod.dll Qoopie32.exe File created C:\Windows\SysWOW64\Pojdem32.exe Ppgdjqna.exe File created C:\Windows\SysWOW64\Idchbb32.dll Ppiapp32.exe File created C:\Windows\SysWOW64\Fdlqjf32.exe Fqqdigko.exe File created C:\Windows\SysWOW64\Oeanjk32.dll Kapbmo32.exe File created C:\Windows\SysWOW64\Kbjbibli.exe Kmmiaknb.exe File opened for modification C:\Windows\SysWOW64\Bgagnjbi.exe Bdbkaoce.exe File created C:\Windows\SysWOW64\Mkpppmko.exe Mmmpdp32.exe File created C:\Windows\SysWOW64\Pihbbgjj.exe Pgjfflkf.exe File opened for modification C:\Windows\SysWOW64\Cifdmbib.exe Cfghagio.exe File opened for modification C:\Windows\SysWOW64\Lnmfpnqn.exe Lkoidcaj.exe File opened for modification C:\Windows\SysWOW64\Nhngem32.exe Ncbkenba.exe File created C:\Windows\SysWOW64\Bbolge32.exe Bncpffdn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10204 10168 WerFault.exe 1011 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddbpmpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefjpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidchjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhbljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geplpfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naihdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbkid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikhce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peolmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakeib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllmdcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofpmegpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocodbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kloqiijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcikn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbdjhnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfppfcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedqcdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adncoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baiingae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebiifka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfbgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnmme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhobgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadagl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiehbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eahkag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnakjaoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgokcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelfedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagnmkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnambeed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcdmikma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlhfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaomf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbocak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njaoeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckijdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdqfnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmgmhgh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghcbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbmkg32.dll" Niijdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abdpngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbocak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehfdldj.dll" Jfkbqcam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cicggcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kahciaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfohfk32.dll" Febjmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgfckbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fleihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiqmcii.dll" Ggncop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhofj32.dll" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhqpmc32.dll" Nmkpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akjham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkaccp32.dll" Hjplao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjono32.dll" Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kopikdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iamjghnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnojjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoioja.dll" Jdpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpdaeg.dll" Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phpjbcci.dll" Cjbpoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgelcoo.dll" Acemeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmljnfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicgd32.dll" Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anggfg32.dll" Goodpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqgkjc32.dll" Ahancp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nidoamch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdbfjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofjjghik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qakppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pihbbgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhabgpel.dll" Bjlnaghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oahdce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccolja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbnbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqlbnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmgdk32.dll" Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbojchdc.dll" Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omincc32.dll" Homfboco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cakfcfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fadagl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcoaebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipcjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foqadnpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfieec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfjibdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahlnl32.dll" Ncbkenba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnjlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abdpngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfbojek.dll" Gofajcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll" Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afhbljko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cghkepdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnbhmlkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gofajcog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1832 2540 a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe 29 PID 2540 wrote to memory of 1832 2540 a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe 29 PID 2540 wrote to memory of 1832 2540 a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe 29 PID 2540 wrote to memory of 1832 2540 a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe 29 PID 1832 wrote to memory of 2188 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2188 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2188 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2188 1832 Jcnmme32.exe 30 PID 2188 wrote to memory of 2760 2188 Jemiiqmh.exe 31 PID 2188 wrote to memory of 2760 2188 Jemiiqmh.exe 31 PID 2188 wrote to memory of 2760 2188 Jemiiqmh.exe 31 PID 2188 wrote to memory of 2760 2188 Jemiiqmh.exe 31 PID 2760 wrote to memory of 2640 2760 Jdpidm32.exe 32 PID 2760 wrote to memory of 2640 2760 Jdpidm32.exe 32 PID 2760 wrote to memory of 2640 2760 Jdpidm32.exe 32 PID 2760 wrote to memory of 2640 2760 Jdpidm32.exe 32 PID 2640 wrote to memory of 2856 2640 Jlgaek32.exe 33 PID 2640 wrote to memory of 2856 2640 Jlgaek32.exe 33 PID 2640 wrote to memory of 2856 2640 Jlgaek32.exe 33 PID 2640 wrote to memory of 2856 2640 Jlgaek32.exe 33 PID 2856 wrote to memory of 2668 2856 Joenaf32.exe 34 PID 2856 wrote to memory of 2668 2856 Joenaf32.exe 34 PID 2856 wrote to memory of 2668 2856 Joenaf32.exe 34 PID 2856 wrote to memory of 2668 2856 Joenaf32.exe 34 PID 2668 wrote to memory of 2224 2668 Jacjna32.exe 35 PID 2668 wrote to memory of 2224 2668 Jacjna32.exe 35 PID 2668 wrote to memory of 2224 2668 Jacjna32.exe 35 PID 2668 wrote to memory of 2224 2668 Jacjna32.exe 35 PID 2224 wrote to memory of 1708 2224 Jdbfjm32.exe 36 PID 2224 wrote to memory of 1708 2224 Jdbfjm32.exe 36 PID 2224 wrote to memory of 1708 2224 Jdbfjm32.exe 36 PID 2224 wrote to memory of 1708 2224 Jdbfjm32.exe 36 PID 1708 wrote to memory of 2520 1708 Jhnbklji.exe 37 PID 1708 wrote to memory of 2520 1708 Jhnbklji.exe 37 PID 1708 wrote to memory of 2520 1708 Jhnbklji.exe 37 PID 1708 wrote to memory of 2520 1708 Jhnbklji.exe 37 PID 2520 wrote to memory of 2584 2520 Jogjgf32.exe 38 PID 2520 wrote to memory of 2584 2520 Jogjgf32.exe 38 PID 2520 wrote to memory of 2584 2520 Jogjgf32.exe 38 PID 2520 wrote to memory of 2584 2520 Jogjgf32.exe 38 PID 2584 wrote to memory of 2924 2584 Jnjjcbiq.exe 39 PID 2584 wrote to memory of 2924 2584 Jnjjcbiq.exe 39 PID 2584 wrote to memory of 2924 2584 Jnjjcbiq.exe 39 PID 2584 wrote to memory of 2924 2584 Jnjjcbiq.exe 39 PID 2924 wrote to memory of 1516 2924 Jpigonhd.exe 40 PID 2924 wrote to memory of 1516 2924 Jpigonhd.exe 40 PID 2924 wrote to memory of 1516 2924 Jpigonhd.exe 40 PID 2924 wrote to memory of 1516 2924 Jpigonhd.exe 40 PID 1516 wrote to memory of 340 1516 Jddbpmpm.exe 41 PID 1516 wrote to memory of 340 1516 Jddbpmpm.exe 41 PID 1516 wrote to memory of 340 1516 Jddbpmpm.exe 41 PID 1516 wrote to memory of 340 1516 Jddbpmpm.exe 41 PID 340 wrote to memory of 2040 340 Jgbolhoa.exe 42 PID 340 wrote to memory of 2040 340 Jgbolhoa.exe 42 PID 340 wrote to memory of 2040 340 Jgbolhoa.exe 42 PID 340 wrote to memory of 2040 340 Jgbolhoa.exe 42 PID 2040 wrote to memory of 2780 2040 Kjakhcne.exe 43 PID 2040 wrote to memory of 2780 2040 Kjakhcne.exe 43 PID 2040 wrote to memory of 2780 2040 Kjakhcne.exe 43 PID 2040 wrote to memory of 2780 2040 Kjakhcne.exe 43 PID 2780 wrote to memory of 2120 2780 Kahciaog.exe 44 PID 2780 wrote to memory of 2120 2780 Kahciaog.exe 44 PID 2780 wrote to memory of 2120 2780 Kahciaog.exe 44 PID 2780 wrote to memory of 2120 2780 Kahciaog.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe"C:\Users\Admin\AppData\Local\Temp\a6cbadb3ad60ee331feff8c0138da2f6cf016d07547d6c2b366dfef02cef14ea.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jemiiqmh.exeC:\Windows\system32\Jemiiqmh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Jacjna32.exeC:\Windows\system32\Jacjna32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Kfmehdpc.exeC:\Windows\system32\Kfmehdpc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe33⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe34⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe35⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe36⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe37⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe38⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe39⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe40⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe41⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe42⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe43⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe44⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe45⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe46⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe47⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe48⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe50⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe51⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe53⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe54⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe55⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe57⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe60⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe61⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe62⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe63⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe64⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe66⤵PID:1940
-
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe67⤵PID:2844
-
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe68⤵PID:2080
-
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe69⤵PID:2788
-
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe71⤵PID:2096
-
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe72⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe73⤵PID:540
-
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe74⤵PID:1740
-
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe75⤵PID:1992
-
C:\Windows\SysWOW64\Mipgnbnn.exeC:\Windows\system32\Mipgnbnn.exe76⤵PID:3116
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe77⤵PID:3172
-
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe78⤵PID:3240
-
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe79⤵PID:3308
-
C:\Windows\SysWOW64\Mfchgflg.exeC:\Windows\system32\Mfchgflg.exe80⤵PID:3360
-
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe81⤵PID:3424
-
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe82⤵
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe83⤵PID:3528
-
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe84⤵
- Drops file in System32 directory
PID:3600 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe85⤵
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe86⤵PID:3708
-
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe88⤵PID:3816
-
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe90⤵PID:3920
-
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe91⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe92⤵
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe93⤵PID:4068
-
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe94⤵PID:1488
-
C:\Windows\SysWOW64\Nhpdkm32.exeC:\Windows\system32\Nhpdkm32.exe95⤵PID:3148
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe96⤵PID:3224
-
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe97⤵
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe98⤵
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe99⤵PID:3396
-
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe100⤵PID:3456
-
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe102⤵PID:1004
-
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe103⤵PID:3588
-
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe104⤵PID:2504
-
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe106⤵PID:2576
-
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe107⤵PID:1332
-
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe108⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe109⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe110⤵PID:2588
-
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe111⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe112⤵PID:272
-
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe113⤵
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe114⤵PID:2432
-
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe115⤵PID:3784
-
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe116⤵PID:3832
-
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe117⤵PID:2592
-
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe118⤵PID:3912
-
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe119⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:236 -
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe121⤵PID:3984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-