Analysis
-
max time kernel
117s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 13:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88e1b7fa37644f635e4e29722e3d8c40N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
88e1b7fa37644f635e4e29722e3d8c40N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
88e1b7fa37644f635e4e29722e3d8c40N.exe
-
Size
285KB
-
MD5
88e1b7fa37644f635e4e29722e3d8c40
-
SHA1
10f3d69946e0774188fcd672681a9b802fb1e97b
-
SHA256
bd95e0d1e6869888d42f2f6ee6dce894bd3d4688ff60ff7b6c9341238acb4388
-
SHA512
6c70f01d605951621a859aff826503dd28160e3c03b29899a9c218ac2b052cdf6f5dc55f382c13c22eed48a6e86e4b60b8652f8f9b6c49e79df56a092593eb92
-
SSDEEP
3072:ainmupiXHjYMq1neoeSKVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:Hpp1n4SKQIoi7tWa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgdfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndfclia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpbnijic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhcphkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alglin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipcii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjmaebi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbkakeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foqgqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbnpfnfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bonepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgdippej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcjmkdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acdhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdghpggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeemol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdhgkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjngfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eehpoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnmnih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmnlphjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondcacad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piejbpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgbpmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnfllcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmogcpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcnleahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njadab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndhpiapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nifhop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcdlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfnlahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbbjjhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjidneo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kedcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimpocda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nimeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cipcii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glfqngom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqomqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbhhbojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccgpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjnei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbkahcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bimnqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcnfllcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfndggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njflci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcjkbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkcdgfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqlpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgkiaihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pefoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggmlffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eehbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obiiacpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncogge32.exe -
Executes dropped EXE 64 IoCs
pid Process 2480 Mkmlbc32.exe 2120 Mloigc32.exe 2764 Ncogge32.exe 2692 Njnion32.exe 1684 Omqnfiip.exe 2548 Oodhca32.exe 1496 Okmena32.exe 2088 Pgdfbb32.exe 1320 Penlon32.exe 2860 Qjnajl32.exe 1288 Adjoqjfc.exe 1036 Ahhhgh32.exe 2084 Amjmpk32.exe 2352 Bciohe32.exe 3036 Bbpioa32.exe 1676 Bimnqk32.exe 1652 Camlpldf.exe 920 Cihqdoaa.exe 2036 Dmhfpmee.exe 2504 Dfqjible.exe 940 Dhdcfj32.exe 324 Eehpoaaf.exe 3016 Fgbpmh32.exe 1504 Fdfpfm32.exe 2300 Gggihhkd.exe 1708 Gqomqm32.exe 2216 Gfobndnj.exe 2752 Gmhkkn32.exe 2648 Gbhpidak.exe 2796 Hkpdbj32.exe 2528 Hcnfllcd.exe 2696 Hembfo32.exe 2176 Hnegod32.exe 2232 Ipipllec.exe 1732 Ipkmal32.exe 1480 Iehejc32.exe 768 Iblfcg32.exe 2948 Incfhh32.exe 2900 Jeahpa32.exe 1092 Jjnqhh32.exe 2124 Jedeea32.exe 2344 Jakejb32.exe 836 Jkcjchco.exe 1860 Jbnogjqj.exe 2276 Kglgnhgq.exe 1960 Kbchbi32.exe 1964 Kimpocda.exe 696 Kedaddif.exe 1752 Kdinea32.exe 1588 Knabngen.exe 1484 Kkechk32.exe 2736 Laahjdib.exe 2620 Lnhioeof.exe 2560 Lfcmchla.exe 2580 Lpiaqqlg.exe 2144 Lcjkbl32.exe 2712 Mlbokapi.exe 1072 Mfkcdgfi.exe 2856 Mkgllndq.exe 1356 Mdpqec32.exe 2908 Minika32.exe 2600 Mbfndggh.exe 604 Mnmnih32.exe 3068 Njconi32.exe -
Loads dropped DLL 64 IoCs
pid Process 1656 88e1b7fa37644f635e4e29722e3d8c40N.exe 1656 88e1b7fa37644f635e4e29722e3d8c40N.exe 2480 Mkmlbc32.exe 2480 Mkmlbc32.exe 2120 Mloigc32.exe 2120 Mloigc32.exe 2764 Ncogge32.exe 2764 Ncogge32.exe 2692 Njnion32.exe 2692 Njnion32.exe 1684 Omqnfiip.exe 1684 Omqnfiip.exe 2548 Oodhca32.exe 2548 Oodhca32.exe 1496 Okmena32.exe 1496 Okmena32.exe 2088 Pgdfbb32.exe 2088 Pgdfbb32.exe 1320 Penlon32.exe 1320 Penlon32.exe 2860 Qjnajl32.exe 2860 Qjnajl32.exe 1288 Adjoqjfc.exe 1288 Adjoqjfc.exe 1036 Ahhhgh32.exe 1036 Ahhhgh32.exe 2084 Amjmpk32.exe 2084 Amjmpk32.exe 2352 Bciohe32.exe 2352 Bciohe32.exe 3036 Bbpioa32.exe 3036 Bbpioa32.exe 1676 Bimnqk32.exe 1676 Bimnqk32.exe 1652 Camlpldf.exe 1652 Camlpldf.exe 920 Cihqdoaa.exe 920 Cihqdoaa.exe 2036 Dmhfpmee.exe 2036 Dmhfpmee.exe 2504 Dfqjible.exe 2504 Dfqjible.exe 940 Dhdcfj32.exe 940 Dhdcfj32.exe 324 Eehpoaaf.exe 324 Eehpoaaf.exe 3016 Fgbpmh32.exe 3016 Fgbpmh32.exe 1504 Fdfpfm32.exe 1504 Fdfpfm32.exe 2300 Gggihhkd.exe 2300 Gggihhkd.exe 1708 Gqomqm32.exe 1708 Gqomqm32.exe 2216 Gfobndnj.exe 2216 Gfobndnj.exe 2752 Gmhkkn32.exe 2752 Gmhkkn32.exe 2648 Gbhpidak.exe 2648 Gbhpidak.exe 2796 Hkpdbj32.exe 2796 Hkpdbj32.exe 2528 Hcnfllcd.exe 2528 Hcnfllcd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aoeflamd.exe Afmack32.exe File created C:\Windows\SysWOW64\Ogbkakeo.exe Nnjghe32.exe File created C:\Windows\SysWOW64\Ofbhlbja.exe Nfpkgblc.exe File opened for modification C:\Windows\SysWOW64\Bonepo32.exe Bphhobmd.exe File created C:\Windows\SysWOW64\Kbeccb32.dll Epimjd32.exe File created C:\Windows\SysWOW64\Ddjmaebi.exe Dhcmld32.exe File created C:\Windows\SysWOW64\Lpadek32.exe Kobhkh32.exe File opened for modification C:\Windows\SysWOW64\Olijen32.exe Omcmda32.exe File created C:\Windows\SysWOW64\Iidepa32.dll Dbgmglin.exe File created C:\Windows\SysWOW64\Ecjijqbk.dll Jeahpa32.exe File created C:\Windows\SysWOW64\Bdngph32.dll Nppgfp32.exe File created C:\Windows\SysWOW64\Ncdckm32.exe Ncafemqk.exe File opened for modification C:\Windows\SysWOW64\Lcbngf32.exe Labamcdb.exe File created C:\Windows\SysWOW64\Omcmda32.exe Oelecd32.exe File created C:\Windows\SysWOW64\Nifhop32.exe Ndhpiapi.exe File opened for modification C:\Windows\SysWOW64\Njikba32.exe Ncobeg32.exe File created C:\Windows\SysWOW64\Emhilaao.dll Ncogge32.exe File created C:\Windows\SysWOW64\Mebapf32.dll Pefoci32.exe File created C:\Windows\SysWOW64\Lcbngf32.exe Labamcdb.exe File created C:\Windows\SysWOW64\Pdpoeo32.exe Pjgjmipf.exe File created C:\Windows\SysWOW64\Bpdhokpm.dll Cdhjjddc.exe File created C:\Windows\SysWOW64\Njnion32.exe Ncogge32.exe File opened for modification C:\Windows\SysWOW64\Jjcllq32.exe Jnmlgpeo.exe File created C:\Windows\SysWOW64\Dekcng32.exe Dehfig32.exe File created C:\Windows\SysWOW64\Hjpcdg32.dll Jjcllq32.exe File opened for modification C:\Windows\SysWOW64\Kikfbm32.exe Jiiimmok.exe File opened for modification C:\Windows\SysWOW64\Jjnqhh32.exe Jeahpa32.exe File created C:\Windows\SysWOW64\Aioapp32.dll Fpcgji32.exe File opened for modification C:\Windows\SysWOW64\Ljelbeke.exe Lnnkmdfq.exe File created C:\Windows\SysWOW64\Ipclej32.exe Ifkgldag.exe File opened for modification C:\Windows\SysWOW64\Aollklac.exe Qmhcnd32.exe File created C:\Windows\SysWOW64\Lcjkbl32.exe Lpiaqqlg.exe File created C:\Windows\SysWOW64\Nlieqa32.exe Njflci32.exe File opened for modification C:\Windows\SysWOW64\Bnfbilgo.exe Bndfclia.exe File created C:\Windows\SysWOW64\Njfnlahb.exe Nlbncmih.exe File created C:\Windows\SysWOW64\Apnlee32.exe Agfhmo32.exe File opened for modification C:\Windows\SysWOW64\Jpkbfi32.exe Jeenip32.exe File opened for modification C:\Windows\SysWOW64\Kebggncm.exe Kikfbm32.exe File created C:\Windows\SysWOW64\Hkepfb32.exe Hamlmmej.exe File created C:\Windows\SysWOW64\Bifnjgkg.dll Kobhkh32.exe File opened for modification C:\Windows\SysWOW64\Dgdfocge.exe Dbgmglin.exe File opened for modification C:\Windows\SysWOW64\Ebgifo32.exe Epimjd32.exe File opened for modification C:\Windows\SysWOW64\Oodhca32.exe Omqnfiip.exe File created C:\Windows\SysWOW64\Fncckn32.dll Laahjdib.exe File created C:\Windows\SysWOW64\Imjqibip.dll Afmack32.exe File created C:\Windows\SysWOW64\Mnjjknmn.dll Cgicko32.exe File created C:\Windows\SysWOW64\Pbhepfbq.exe Pphlokep.exe File created C:\Windows\SysWOW64\Aolpph32.dll Piejbpgk.exe File created C:\Windows\SysWOW64\Kimpocda.exe Kbchbi32.exe File opened for modification C:\Windows\SysWOW64\Njconi32.exe Mnmnih32.exe File created C:\Windows\SysWOW64\Ahefmala.dll Gegecopf.exe File created C:\Windows\SysWOW64\Mnknch32.dll Oieencik.exe File created C:\Windows\SysWOW64\Nmpjoi32.dll Hdneohbk.exe File created C:\Windows\SysWOW64\Igdhhidc.dll Papogbef.exe File opened for modification C:\Windows\SysWOW64\Cnanbijd.exe Cdhjjddc.exe File created C:\Windows\SysWOW64\Piejbpgk.exe Pplejj32.exe File created C:\Windows\SysWOW64\Bfadkh32.dll Ddjmaebi.exe File created C:\Windows\SysWOW64\Boedge32.dll Eioemj32.exe File created C:\Windows\SysWOW64\Lmfikn32.dll Ondcacad.exe File created C:\Windows\SysWOW64\Mgigbjhh.dll Dgoejm32.exe File created C:\Windows\SysWOW64\Bbpioa32.exe Bciohe32.exe File created C:\Windows\SysWOW64\Pkhagodb.exe Pekhohfk.exe File opened for modification C:\Windows\SysWOW64\Dccgpf32.exe Djkcgpaa.exe File created C:\Windows\SysWOW64\Gclopbjo.exe Fpkfng32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1320 1656 WerFault.exe 330 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaempnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daidojeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labamcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdflilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmiicj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoojgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmlbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camlpldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njconi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehbgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnhikkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbncmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgabomfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnhmdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foeqlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkepfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobndnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmaebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifhop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdhen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphhobmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjaled32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onojfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agfhmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmack32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gelonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhobnqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebggncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbnijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkhikfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljelbeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmkdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdcfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njflci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmogcpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmlffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaacch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakdbngn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhioeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfmmnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjidneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkiaihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njialh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njikba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obiiacpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnlphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncafemqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhjmpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empacnmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epimjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaficqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpqec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecedmaa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnbjpib.dll" Ahamdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpjel32.dll" Mfkcdgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombfel32.dll" Mnmnih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foqgqppk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icjhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelkhbii.dll" Camlpldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmkhobf.dll" Abfonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdheja32.dll" Dfhjmpam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgcbeagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkepfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blckoifq.dll" Kmaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jakejb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkechk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peldjhei.dll" Lfcmchla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmfjm32.dll" Epckkeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chmpicbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcbapdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmipdhh.dll" Mloigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Finhinmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghebpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bphhobmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcehkj32.dll" Agfhmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhibik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobkifnl.dll" Alglin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gknjecab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjkngmn.dll" Afkcqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 88e1b7fa37644f635e4e29722e3d8c40N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbfggdo.dll" 88e1b7fa37644f635e4e29722e3d8c40N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eghflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhgm32.dll" Igkdfghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jedeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapeo32.dll" Cnaempnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igkdfghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakhaepc.dll" Bndfclia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnfbilgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhcbm32.dll" Pjngfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnkgnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcfdcbe.dll" Hbpomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogijo32.dll" Lkhbfcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfobndnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmipiod.dll" Qgckgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldeio32.dll" Iohiafag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijoal32.dll" Iachom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnpp32.dll" Cfipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dccgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnipid32.dll" Dhcmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcfhkj32.dll" Qmhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aibonhfb.dll" Onojfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nimeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeemol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngeafln.dll" Pjbqaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaomhmnf.dll" Jiiimmok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjnajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olglkgad.dll" Bciohe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipkmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpkbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbpomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkiock32.dll" Lljbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgcbeagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjfpp32.dll" Pjpdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndgiok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2480 1656 88e1b7fa37644f635e4e29722e3d8c40N.exe 29 PID 1656 wrote to memory of 2480 1656 88e1b7fa37644f635e4e29722e3d8c40N.exe 29 PID 1656 wrote to memory of 2480 1656 88e1b7fa37644f635e4e29722e3d8c40N.exe 29 PID 1656 wrote to memory of 2480 1656 88e1b7fa37644f635e4e29722e3d8c40N.exe 29 PID 2480 wrote to memory of 2120 2480 Mkmlbc32.exe 30 PID 2480 wrote to memory of 2120 2480 Mkmlbc32.exe 30 PID 2480 wrote to memory of 2120 2480 Mkmlbc32.exe 30 PID 2480 wrote to memory of 2120 2480 Mkmlbc32.exe 30 PID 2120 wrote to memory of 2764 2120 Mloigc32.exe 31 PID 2120 wrote to memory of 2764 2120 Mloigc32.exe 31 PID 2120 wrote to memory of 2764 2120 Mloigc32.exe 31 PID 2120 wrote to memory of 2764 2120 Mloigc32.exe 31 PID 2764 wrote to memory of 2692 2764 Ncogge32.exe 32 PID 2764 wrote to memory of 2692 2764 Ncogge32.exe 32 PID 2764 wrote to memory of 2692 2764 Ncogge32.exe 32 PID 2764 wrote to memory of 2692 2764 Ncogge32.exe 32 PID 2692 wrote to memory of 1684 2692 Njnion32.exe 33 PID 2692 wrote to memory of 1684 2692 Njnion32.exe 33 PID 2692 wrote to memory of 1684 2692 Njnion32.exe 33 PID 2692 wrote to memory of 1684 2692 Njnion32.exe 33 PID 1684 wrote to memory of 2548 1684 Omqnfiip.exe 34 PID 1684 wrote to memory of 2548 1684 Omqnfiip.exe 34 PID 1684 wrote to memory of 2548 1684 Omqnfiip.exe 34 PID 1684 wrote to memory of 2548 1684 Omqnfiip.exe 34 PID 2548 wrote to memory of 1496 2548 Oodhca32.exe 35 PID 2548 wrote to memory of 1496 2548 Oodhca32.exe 35 PID 2548 wrote to memory of 1496 2548 Oodhca32.exe 35 PID 2548 wrote to memory of 1496 2548 Oodhca32.exe 35 PID 1496 wrote to memory of 2088 1496 Okmena32.exe 36 PID 1496 wrote to memory of 2088 1496 Okmena32.exe 36 PID 1496 wrote to memory of 2088 1496 Okmena32.exe 36 PID 1496 wrote to memory of 2088 1496 Okmena32.exe 36 PID 2088 wrote to memory of 1320 2088 Pgdfbb32.exe 37 PID 2088 wrote to memory of 1320 2088 Pgdfbb32.exe 37 PID 2088 wrote to memory of 1320 2088 Pgdfbb32.exe 37 PID 2088 wrote to memory of 1320 2088 Pgdfbb32.exe 37 PID 1320 wrote to memory of 2860 1320 Penlon32.exe 38 PID 1320 wrote to memory of 2860 1320 Penlon32.exe 38 PID 1320 wrote to memory of 2860 1320 Penlon32.exe 38 PID 1320 wrote to memory of 2860 1320 Penlon32.exe 38 PID 2860 wrote to memory of 1288 2860 Qjnajl32.exe 39 PID 2860 wrote to memory of 1288 2860 Qjnajl32.exe 39 PID 2860 wrote to memory of 1288 2860 Qjnajl32.exe 39 PID 2860 wrote to memory of 1288 2860 Qjnajl32.exe 39 PID 1288 wrote to memory of 1036 1288 Adjoqjfc.exe 40 PID 1288 wrote to memory of 1036 1288 Adjoqjfc.exe 40 PID 1288 wrote to memory of 1036 1288 Adjoqjfc.exe 40 PID 1288 wrote to memory of 1036 1288 Adjoqjfc.exe 40 PID 1036 wrote to memory of 2084 1036 Ahhhgh32.exe 41 PID 1036 wrote to memory of 2084 1036 Ahhhgh32.exe 41 PID 1036 wrote to memory of 2084 1036 Ahhhgh32.exe 41 PID 1036 wrote to memory of 2084 1036 Ahhhgh32.exe 41 PID 2084 wrote to memory of 2352 2084 Amjmpk32.exe 42 PID 2084 wrote to memory of 2352 2084 Amjmpk32.exe 42 PID 2084 wrote to memory of 2352 2084 Amjmpk32.exe 42 PID 2084 wrote to memory of 2352 2084 Amjmpk32.exe 42 PID 2352 wrote to memory of 3036 2352 Bciohe32.exe 43 PID 2352 wrote to memory of 3036 2352 Bciohe32.exe 43 PID 2352 wrote to memory of 3036 2352 Bciohe32.exe 43 PID 2352 wrote to memory of 3036 2352 Bciohe32.exe 43 PID 3036 wrote to memory of 1676 3036 Bbpioa32.exe 44 PID 3036 wrote to memory of 1676 3036 Bbpioa32.exe 44 PID 3036 wrote to memory of 1676 3036 Bbpioa32.exe 44 PID 3036 wrote to memory of 1676 3036 Bbpioa32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\88e1b7fa37644f635e4e29722e3d8c40N.exe"C:\Users\Admin\AppData\Local\Temp\88e1b7fa37644f635e4e29722e3d8c40N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mkmlbc32.exeC:\Windows\system32\Mkmlbc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Mloigc32.exeC:\Windows\system32\Mloigc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ncogge32.exeC:\Windows\system32\Ncogge32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Njnion32.exeC:\Windows\system32\Njnion32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Omqnfiip.exeC:\Windows\system32\Omqnfiip.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Penlon32.exeC:\Windows\system32\Penlon32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Qjnajl32.exeC:\Windows\system32\Qjnajl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Adjoqjfc.exeC:\Windows\system32\Adjoqjfc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Ahhhgh32.exeC:\Windows\system32\Ahhhgh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Amjmpk32.exeC:\Windows\system32\Amjmpk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Bciohe32.exeC:\Windows\system32\Bciohe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Bbpioa32.exeC:\Windows\system32\Bbpioa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Bimnqk32.exeC:\Windows\system32\Bimnqk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Camlpldf.exeC:\Windows\system32\Camlpldf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Cihqdoaa.exeC:\Windows\system32\Cihqdoaa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Dmhfpmee.exeC:\Windows\system32\Dmhfpmee.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Dfqjible.exeC:\Windows\system32\Dfqjible.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Dhdcfj32.exeC:\Windows\system32\Dhdcfj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Eehpoaaf.exeC:\Windows\system32\Eehpoaaf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Fgbpmh32.exeC:\Windows\system32\Fgbpmh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Gqomqm32.exeC:\Windows\system32\Gqomqm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Gfobndnj.exeC:\Windows\system32\Gfobndnj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Gbhpidak.exeC:\Windows\system32\Gbhpidak.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Hkpdbj32.exeC:\Windows\system32\Hkpdbj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Hcnfllcd.exeC:\Windows\system32\Hcnfllcd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Hembfo32.exeC:\Windows\system32\Hembfo32.exe33⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hnegod32.exeC:\Windows\system32\Hnegod32.exe34⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ipipllec.exeC:\Windows\system32\Ipipllec.exe35⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Iehejc32.exeC:\Windows\system32\Iehejc32.exe37⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Iblfcg32.exeC:\Windows\system32\Iblfcg32.exe38⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Incfhh32.exeC:\Windows\system32\Incfhh32.exe39⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Jeahpa32.exeC:\Windows\system32\Jeahpa32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Jjnqhh32.exeC:\Windows\system32\Jjnqhh32.exe41⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jedeea32.exeC:\Windows\system32\Jedeea32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Jakejb32.exeC:\Windows\system32\Jakejb32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Jkcjchco.exeC:\Windows\system32\Jkcjchco.exe44⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Jbnogjqj.exeC:\Windows\system32\Jbnogjqj.exe45⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kglgnhgq.exeC:\Windows\system32\Kglgnhgq.exe46⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kbchbi32.exeC:\Windows\system32\Kbchbi32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Kimpocda.exeC:\Windows\system32\Kimpocda.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kedaddif.exeC:\Windows\system32\Kedaddif.exe49⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Kdinea32.exeC:\Windows\system32\Kdinea32.exe50⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Knabngen.exeC:\Windows\system32\Knabngen.exe51⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Kkechk32.exeC:\Windows\system32\Kkechk32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Laahjdib.exeC:\Windows\system32\Laahjdib.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Lnhioeof.exeC:\Windows\system32\Lnhioeof.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Lfcmchla.exeC:\Windows\system32\Lfcmchla.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Lpiaqqlg.exeC:\Windows\system32\Lpiaqqlg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Lcjkbl32.exeC:\Windows\system32\Lcjkbl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Mlbokapi.exeC:\Windows\system32\Mlbokapi.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mfkcdgfi.exeC:\Windows\system32\Mfkcdgfi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Mkgllndq.exeC:\Windows\system32\Mkgllndq.exe60⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mdpqec32.exeC:\Windows\system32\Mdpqec32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Minika32.exeC:\Windows\system32\Minika32.exe62⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Mbfndggh.exeC:\Windows\system32\Mbfndggh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mnmnih32.exeC:\Windows\system32\Mnmnih32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Njconi32.exeC:\Windows\system32\Njconi32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Nppgfp32.exeC:\Windows\system32\Nppgfp32.exe66⤵
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Njflci32.exeC:\Windows\system32\Njflci32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Nlieqa32.exeC:\Windows\system32\Nlieqa32.exe68⤵PID:2284
-
C:\Windows\SysWOW64\Nimeje32.exeC:\Windows\system32\Nimeje32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Nedfofig.exeC:\Windows\system32\Nedfofig.exe70⤵PID:2660
-
C:\Windows\SysWOW64\Oeklpeco.exeC:\Windows\system32\Oeklpeco.exe71⤵PID:2904
-
C:\Windows\SysWOW64\Ofoemm32.exeC:\Windows\system32\Ofoemm32.exe72⤵PID:3056
-
C:\Windows\SysWOW64\Pjmnck32.exeC:\Windows\system32\Pjmnck32.exe73⤵PID:2584
-
C:\Windows\SysWOW64\Pefoci32.exeC:\Windows\system32\Pefoci32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Poocmo32.exeC:\Windows\system32\Poocmo32.exe75⤵PID:2628
-
C:\Windows\SysWOW64\Phghedga.exeC:\Windows\system32\Phghedga.exe76⤵PID:908
-
C:\Windows\SysWOW64\Pekhohfk.exeC:\Windows\system32\Pekhohfk.exe77⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Pkhagodb.exeC:\Windows\system32\Pkhagodb.exe78⤵PID:520
-
C:\Windows\SysWOW64\Plgmabke.exeC:\Windows\system32\Plgmabke.exe79⤵PID:2708
-
C:\Windows\SysWOW64\Qadfiiil.exeC:\Windows\system32\Qadfiiil.exe80⤵PID:2108
-
C:\Windows\SysWOW64\Qnkgnj32.exeC:\Windows\system32\Qnkgnj32.exe81⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Qgckgp32.exeC:\Windows\system32\Qgckgp32.exe82⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Agfhmo32.exeC:\Windows\system32\Agfhmo32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Apnlee32.exeC:\Windows\system32\Apnlee32.exe84⤵PID:1928
-
C:\Windows\SysWOW64\Anbmoi32.exeC:\Windows\system32\Anbmoi32.exe85⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Afmack32.exeC:\Windows\system32\Afmack32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Aoeflamd.exeC:\Windows\system32\Aoeflamd.exe87⤵PID:2208
-
C:\Windows\SysWOW64\Ajkjij32.exeC:\Windows\system32\Ajkjij32.exe88⤵PID:2684
-
C:\Windows\SysWOW64\Abfonl32.exeC:\Windows\system32\Abfonl32.exe89⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Bojogp32.exeC:\Windows\system32\Bojogp32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Bdghpggf.exeC:\Windows\system32\Bdghpggf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Bbkhikfp.exeC:\Windows\system32\Bbkhikfp.exe92⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Bjfmmnck.exeC:\Windows\system32\Bjfmmnck.exe93⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Bbmeokdm.exeC:\Windows\system32\Bbmeokdm.exe94⤵PID:2912
-
C:\Windows\SysWOW64\Bndfclia.exeC:\Windows\system32\Bndfclia.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Bnfbilgo.exeC:\Windows\system32\Bnfbilgo.exe96⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Cipcii32.exeC:\Windows\system32\Cipcii32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Cbhhbojn.exeC:\Windows\system32\Cbhhbojn.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Cmnlphjd.exeC:\Windows\system32\Cmnlphjd.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Cbkdhohk.exeC:\Windows\system32\Cbkdhohk.exe100⤵PID:1712
-
C:\Windows\SysWOW64\Cnaempnp.exeC:\Windows\system32\Cnaempnp.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Cbpncn32.exeC:\Windows\system32\Cbpncn32.exe102⤵PID:2564
-
C:\Windows\SysWOW64\Djkcgpaa.exeC:\Windows\system32\Djkcgpaa.exe103⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Dccgpf32.exeC:\Windows\system32\Dccgpf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Dnikno32.exeC:\Windows\system32\Dnikno32.exe105⤵PID:1720
-
C:\Windows\SysWOW64\Dcedfe32.exeC:\Windows\system32\Dcedfe32.exe106⤵PID:2292
-
C:\Windows\SysWOW64\Daidojeh.exeC:\Windows\system32\Daidojeh.exe107⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Dhcmld32.exeC:\Windows\system32\Dhcmld32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Ddjmaebi.exeC:\Windows\system32\Ddjmaebi.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Dfhjmpam.exeC:\Windows\system32\Dfhjmpam.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Dmbbjjhj.exeC:\Windows\system32\Dmbbjjhj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Efkfbp32.exeC:\Windows\system32\Efkfbp32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Epckkeek.exeC:\Windows\system32\Epckkeek.exe113⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ebddmq32.exeC:\Windows\system32\Ebddmq32.exe114⤵PID:2784
-
C:\Windows\SysWOW64\Ehaleg32.exeC:\Windows\system32\Ehaleg32.exe115⤵PID:2576
-
C:\Windows\SysWOW64\Eeemol32.exeC:\Windows\system32\Eeemol32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Eloekf32.exeC:\Windows\system32\Eloekf32.exe117⤵PID:2872
-
C:\Windows\SysWOW64\Empacnmh.exeC:\Windows\system32\Empacnmh.exe118⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Eghflc32.exeC:\Windows\system32\Eghflc32.exe119⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Fdlfeh32.exeC:\Windows\system32\Fdlfeh32.exe120⤵PID:1600
-
C:\Windows\SysWOW64\Fpcgji32.exeC:\Windows\system32\Fpcgji32.exe121⤵
- Drops file in System32 directory
PID:2000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-