Analysis
-
max time kernel
38s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16/08/2024, 23:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9c821cc8ad9a5b1fc88f15d856dec00N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f9c821cc8ad9a5b1fc88f15d856dec00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f9c821cc8ad9a5b1fc88f15d856dec00N.exe
-
Size
128KB
-
MD5
f9c821cc8ad9a5b1fc88f15d856dec00
-
SHA1
dfc96b0d064ab4578d6ef9a24f01b5e7fadf1eb1
-
SHA256
4ebd166d640acb01f808c760fa2848bb7ca45882614eeb3ca913cb9e12af96a9
-
SHA512
b8aefd7d21c053cfa4e576da78d4f293fdb285706e3a0aa13436b6caef733c347a0d73645c4757b7e55b90e4c280b8bc5e73bebc585e8bdeffd88718ded7571d
-
SSDEEP
3072:hAwcalugtUJHltTd075/yfJbwf1nFzwSAJB8g:hVcalugew7xya1n6xJmg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cppjadhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbnblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Claake32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkbnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dilddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbdbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlocka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjiobnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmkbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomlfpdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmabnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qckalamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijgnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbljgpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bemfjgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjilde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnncii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlghpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" f9c821cc8ad9a5b1fc88f15d856dec00N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loocanbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijfihip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobjmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjppmlhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codgbqmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coiqmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdcgeejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaqeogll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnllnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqoaefke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igcjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmnaaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcgik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcblgbfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjihci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmngn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbpnlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofdll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbilhkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oobiclmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeihl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdapjglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mganfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobiclmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemfjgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfikc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2880 Hdhnal32.exe 2932 Hffjng32.exe 2960 Hlcbfnjk.exe 2912 Ibmkbh32.exe 2808 Iigcobid.exe 2768 Iockhigl.exe 2764 Iiipeb32.exe 2308 Ikjlmjmp.exe 1212 Ibadnhmb.exe 3020 Ioheci32.exe 448 Iebmpcjc.exe 1224 Igcjgk32.exe 2372 Innbde32.exe 1980 Igffmkno.exe 2556 Jidbifmb.exe 2096 Jakjjcnd.exe 1612 Jkdoci32.exe 716 Jnbkodci.exe 2884 Jpqgkpcl.exe 1808 Jjilde32.exe 2020 Jlghpa32.exe 2504 Jofdll32.exe 1724 Jgmlmj32.exe 2168 Jfpmifoa.exe 2592 Jljeeqfn.exe 2824 Johaalea.exe 2876 Jafmngde.exe 2856 Jhqeka32.exe 2736 Jcfjhj32.exe 872 Kkaolm32.exe 2424 Knpkhhhg.exe 2060 Kheofahm.exe 1340 Kkckblgq.exe 3012 Kqqdjceh.exe 2684 Kdlpkb32.exe 1564 Kjihci32.exe 2340 Kqcqpc32.exe 1620 Kkhdml32.exe 696 Kngaig32.exe 1500 Kqemeb32.exe 2408 Kfbemi32.exe 2244 Kjnanhhc.exe 1880 Lqgjkbop.exe 1536 Lcffgnnc.exe 1644 Liboodmk.exe 1592 Lqjfpbmm.exe 264 Lffohikd.exe 1688 Lmqgec32.exe 2132 Loocanbe.exe 2732 Lighjd32.exe 2832 Lpapgnpb.exe 2988 Lenioenj.exe 2492 Lijepc32.exe 564 Lkhalo32.exe 1868 Lnfmhj32.exe 2908 Laeidfdn.exe 1100 Milaecdp.exe 1956 Mgoaap32.exe 2248 Mjmnmk32.exe 2588 Mnijnjbh.exe 1812 Magfjebk.exe 1864 Mganfp32.exe 1068 Mnkfcjqe.exe 1712 Majcoepi.exe -
Loads dropped DLL 64 IoCs
pid Process 2776 f9c821cc8ad9a5b1fc88f15d856dec00N.exe 2776 f9c821cc8ad9a5b1fc88f15d856dec00N.exe 2880 Hdhnal32.exe 2880 Hdhnal32.exe 2932 Hffjng32.exe 2932 Hffjng32.exe 2960 Hlcbfnjk.exe 2960 Hlcbfnjk.exe 2912 Ibmkbh32.exe 2912 Ibmkbh32.exe 2808 Iigcobid.exe 2808 Iigcobid.exe 2768 Iockhigl.exe 2768 Iockhigl.exe 2764 Iiipeb32.exe 2764 Iiipeb32.exe 2308 Ikjlmjmp.exe 2308 Ikjlmjmp.exe 1212 Ibadnhmb.exe 1212 Ibadnhmb.exe 3020 Ioheci32.exe 3020 Ioheci32.exe 448 Iebmpcjc.exe 448 Iebmpcjc.exe 1224 Igcjgk32.exe 1224 Igcjgk32.exe 2372 Innbde32.exe 2372 Innbde32.exe 1980 Igffmkno.exe 1980 Igffmkno.exe 2556 Jidbifmb.exe 2556 Jidbifmb.exe 2096 Jakjjcnd.exe 2096 Jakjjcnd.exe 1612 Jkdoci32.exe 1612 Jkdoci32.exe 716 Jnbkodci.exe 716 Jnbkodci.exe 2884 Jpqgkpcl.exe 2884 Jpqgkpcl.exe 1808 Jjilde32.exe 1808 Jjilde32.exe 2020 Jlghpa32.exe 2020 Jlghpa32.exe 2504 Jofdll32.exe 2504 Jofdll32.exe 1724 Jgmlmj32.exe 1724 Jgmlmj32.exe 2168 Jfpmifoa.exe 2168 Jfpmifoa.exe 2592 Jljeeqfn.exe 2592 Jljeeqfn.exe 2824 Johaalea.exe 2824 Johaalea.exe 2876 Jafmngde.exe 2876 Jafmngde.exe 2856 Jhqeka32.exe 2856 Jhqeka32.exe 2736 Jcfjhj32.exe 2736 Jcfjhj32.exe 872 Kkaolm32.exe 872 Kkaolm32.exe 2424 Knpkhhhg.exe 2424 Knpkhhhg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nlocka32.exe Niqgof32.exe File created C:\Windows\SysWOW64\Oobiclmh.exe Ngkaaolf.exe File created C:\Windows\SysWOW64\Eodpobjn.dll Cldnqe32.exe File opened for modification C:\Windows\SysWOW64\Eceimadb.exe Dilddl32.exe File created C:\Windows\SysWOW64\Mdmlljbm.dll Jpqgkpcl.exe File created C:\Windows\SysWOW64\Mnncii32.exe Mffkgl32.exe File opened for modification C:\Windows\SysWOW64\Nlmffa32.exe Ninjjf32.exe File created C:\Windows\SysWOW64\Acbglq32.exe Amhopfof.exe File created C:\Windows\SysWOW64\Mchokq32.exe Meeopdhb.exe File created C:\Windows\SysWOW64\Qlckjo32.dll Nlocka32.exe File created C:\Windows\SysWOW64\Bjaoaabb.dll Pofomolo.exe File created C:\Windows\SysWOW64\Biolckgf.exe Bjlkhn32.exe File opened for modification C:\Windows\SysWOW64\Bbgplq32.exe Baecehhh.exe File created C:\Windows\SysWOW64\Ogbidjgd.dll Chhbpfhi.exe File created C:\Windows\SysWOW64\Kkckblgq.exe Kheofahm.exe File created C:\Windows\SysWOW64\Kkhdml32.exe Kqcqpc32.exe File opened for modification C:\Windows\SysWOW64\Mnijnjbh.exe Mjmnmk32.exe File created C:\Windows\SysWOW64\Ofdqhh32.dll Pjppmlhm.exe File created C:\Windows\SysWOW64\Ddgoncih.dll Qqldpfmh.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Mgoaap32.exe File created C:\Windows\SysWOW64\Mffkgl32.exe Mchokq32.exe File created C:\Windows\SysWOW64\Injchoib.dll Kheofahm.exe File opened for modification C:\Windows\SysWOW64\Nlapaapg.exe Neghdg32.exe File opened for modification C:\Windows\SysWOW64\Ocfkaone.exe Ophoecoa.exe File opened for modification C:\Windows\SysWOW64\Lqgjkbop.exe Kjnanhhc.exe File created C:\Windows\SysWOW64\Qckalamk.exe Qqldpfmh.exe File created C:\Windows\SysWOW64\Biahijec.exe Bjnhnn32.exe File created C:\Windows\SysWOW64\Nmbmii32.exe Noplmlok.exe File created C:\Windows\SysWOW64\Pcmabnhm.exe Pkfiaqgk.exe File created C:\Windows\SysWOW64\Acpjga32.exe Aijfihip.exe File created C:\Windows\SysWOW64\Kbqgpc32.dll Dfdeab32.exe File created C:\Windows\SysWOW64\Hdhnal32.exe f9c821cc8ad9a5b1fc88f15d856dec00N.exe File opened for modification C:\Windows\SysWOW64\Jafmngde.exe Johaalea.exe File created C:\Windows\SysWOW64\Gfmogk32.dll Johaalea.exe File created C:\Windows\SysWOW64\Pmhikf32.dll Lkhalo32.exe File created C:\Windows\SysWOW64\Nlapaapg.exe Neghdg32.exe File opened for modification C:\Windows\SysWOW64\Opebpdad.exe Oiljcj32.exe File created C:\Windows\SysWOW64\Dcblgbfe.exe Dpdpkfga.exe File created C:\Windows\SysWOW64\Kgfbfl32.dll Ndmeecmb.exe File created C:\Windows\SysWOW64\Ocdnloph.exe Opebpdad.exe File created C:\Windows\SysWOW64\Nggbjggc.dll Ocdnloph.exe File opened for modification C:\Windows\SysWOW64\Chkoef32.exe Celbik32.exe File created C:\Windows\SysWOW64\Lffohikd.exe Lqjfpbmm.exe File created C:\Windows\SysWOW64\Lighjd32.exe Loocanbe.exe File opened for modification C:\Windows\SysWOW64\Aioodg32.exe Afpchl32.exe File opened for modification C:\Windows\SysWOW64\Hlcbfnjk.exe Hffjng32.exe File opened for modification C:\Windows\SysWOW64\Mnkfcjqe.exe Mganfp32.exe File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Ogbgbn32.exe Ocfkaone.exe File created C:\Windows\SysWOW64\Knpkhhhg.exe Kkaolm32.exe File created C:\Windows\SysWOW64\Agpmcpfm.dll Nbilhkig.exe File opened for modification C:\Windows\SysWOW64\Omjbihpn.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Dmomnlne.exe Dkpabqoa.exe File created C:\Windows\SysWOW64\Jnbkodci.exe Jkdoci32.exe File opened for modification C:\Windows\SysWOW64\Mjgqcj32.exe Mbpibm32.exe File created C:\Windows\SysWOW64\Neghdg32.exe Nbilhkig.exe File opened for modification C:\Windows\SysWOW64\Akphfbbl.exe Aialjgbh.exe File created C:\Windows\SysWOW64\Lnofaf32.dll Ablmilgf.exe File opened for modification C:\Windows\SysWOW64\Bjlkhn32.exe Bcackdio.exe File created C:\Windows\SysWOW64\Qjeihl32.exe Qfimhmlo.exe File created C:\Windows\SysWOW64\Cbljgpja.exe Claake32.exe File created C:\Windows\SysWOW64\Nkifkh32.dll Igcjgk32.exe File created C:\Windows\SysWOW64\Jjilde32.exe Jpqgkpcl.exe File created C:\Windows\SysWOW64\Lijepc32.exe Lenioenj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3756 3716 WerFault.exe 253 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penjdien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhopfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablmilgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmajdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjilde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbpnlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghfacem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmnaaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmnmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgqcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalfdjdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebnigmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhmeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppjadhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmehol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqeogll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjjcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnllnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioheci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkqfdmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkaaolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiomabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhbpfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljmmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgdnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiipeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeidfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngbcldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchokq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmabnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemfjgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olalpdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngaig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnncii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljeeqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noifmmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbilhkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eceimadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafmngde.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbodi32.dll" Naionh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oophlpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmhkojab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lffohikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmfgnde.dll" Nlmffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chhbpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" Dijgnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapchl32.dll" Jljeeqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defadnfb.dll" Lmqgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdeplh.dll" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll" Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biahijec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jidbifmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdqhh32.dll" Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll" Qckalamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhggc32.dll" Nmbmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nejdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfljmmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioheci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opcejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jljeeqfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qckalamk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgqlf32.dll" Aialjgbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chohqebq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbkffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpdpkfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjon32.dll" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Penjdien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcimj32.dll" Penjdien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkmobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmqgec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilndfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmomnlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmefoa32.dll" Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoimalh.dll" Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkpabqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peiaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biahijec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igcjgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiljcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmqgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkifkh32.dll" Igcjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afpchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpmge32.dll" Bmhkojab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjoacao.dll" Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cligkdlm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2880 2776 f9c821cc8ad9a5b1fc88f15d856dec00N.exe 30 PID 2776 wrote to memory of 2880 2776 f9c821cc8ad9a5b1fc88f15d856dec00N.exe 30 PID 2776 wrote to memory of 2880 2776 f9c821cc8ad9a5b1fc88f15d856dec00N.exe 30 PID 2776 wrote to memory of 2880 2776 f9c821cc8ad9a5b1fc88f15d856dec00N.exe 30 PID 2880 wrote to memory of 2932 2880 Hdhnal32.exe 31 PID 2880 wrote to memory of 2932 2880 Hdhnal32.exe 31 PID 2880 wrote to memory of 2932 2880 Hdhnal32.exe 31 PID 2880 wrote to memory of 2932 2880 Hdhnal32.exe 31 PID 2932 wrote to memory of 2960 2932 Hffjng32.exe 32 PID 2932 wrote to memory of 2960 2932 Hffjng32.exe 32 PID 2932 wrote to memory of 2960 2932 Hffjng32.exe 32 PID 2932 wrote to memory of 2960 2932 Hffjng32.exe 32 PID 2960 wrote to memory of 2912 2960 Hlcbfnjk.exe 33 PID 2960 wrote to memory of 2912 2960 Hlcbfnjk.exe 33 PID 2960 wrote to memory of 2912 2960 Hlcbfnjk.exe 33 PID 2960 wrote to memory of 2912 2960 Hlcbfnjk.exe 33 PID 2912 wrote to memory of 2808 2912 Ibmkbh32.exe 34 PID 2912 wrote to memory of 2808 2912 Ibmkbh32.exe 34 PID 2912 wrote to memory of 2808 2912 Ibmkbh32.exe 34 PID 2912 wrote to memory of 2808 2912 Ibmkbh32.exe 34 PID 2808 wrote to memory of 2768 2808 Iigcobid.exe 35 PID 2808 wrote to memory of 2768 2808 Iigcobid.exe 35 PID 2808 wrote to memory of 2768 2808 Iigcobid.exe 35 PID 2808 wrote to memory of 2768 2808 Iigcobid.exe 35 PID 2768 wrote to memory of 2764 2768 Iockhigl.exe 36 PID 2768 wrote to memory of 2764 2768 Iockhigl.exe 36 PID 2768 wrote to memory of 2764 2768 Iockhigl.exe 36 PID 2768 wrote to memory of 2764 2768 Iockhigl.exe 36 PID 2764 wrote to memory of 2308 2764 Iiipeb32.exe 37 PID 2764 wrote to memory of 2308 2764 Iiipeb32.exe 37 PID 2764 wrote to memory of 2308 2764 Iiipeb32.exe 37 PID 2764 wrote to memory of 2308 2764 Iiipeb32.exe 37 PID 2308 wrote to memory of 1212 2308 Ikjlmjmp.exe 38 PID 2308 wrote to memory of 1212 2308 Ikjlmjmp.exe 38 PID 2308 wrote to memory of 1212 2308 Ikjlmjmp.exe 38 PID 2308 wrote to memory of 1212 2308 Ikjlmjmp.exe 38 PID 1212 wrote to memory of 3020 1212 Ibadnhmb.exe 39 PID 1212 wrote to memory of 3020 1212 Ibadnhmb.exe 39 PID 1212 wrote to memory of 3020 1212 Ibadnhmb.exe 39 PID 1212 wrote to memory of 3020 1212 Ibadnhmb.exe 39 PID 3020 wrote to memory of 448 3020 Ioheci32.exe 40 PID 3020 wrote to memory of 448 3020 Ioheci32.exe 40 PID 3020 wrote to memory of 448 3020 Ioheci32.exe 40 PID 3020 wrote to memory of 448 3020 Ioheci32.exe 40 PID 448 wrote to memory of 1224 448 Iebmpcjc.exe 41 PID 448 wrote to memory of 1224 448 Iebmpcjc.exe 41 PID 448 wrote to memory of 1224 448 Iebmpcjc.exe 41 PID 448 wrote to memory of 1224 448 Iebmpcjc.exe 41 PID 1224 wrote to memory of 2372 1224 Igcjgk32.exe 42 PID 1224 wrote to memory of 2372 1224 Igcjgk32.exe 42 PID 1224 wrote to memory of 2372 1224 Igcjgk32.exe 42 PID 1224 wrote to memory of 2372 1224 Igcjgk32.exe 42 PID 2372 wrote to memory of 1980 2372 Innbde32.exe 43 PID 2372 wrote to memory of 1980 2372 Innbde32.exe 43 PID 2372 wrote to memory of 1980 2372 Innbde32.exe 43 PID 2372 wrote to memory of 1980 2372 Innbde32.exe 43 PID 1980 wrote to memory of 2556 1980 Igffmkno.exe 44 PID 1980 wrote to memory of 2556 1980 Igffmkno.exe 44 PID 1980 wrote to memory of 2556 1980 Igffmkno.exe 44 PID 1980 wrote to memory of 2556 1980 Igffmkno.exe 44 PID 2556 wrote to memory of 2096 2556 Jidbifmb.exe 45 PID 2556 wrote to memory of 2096 2556 Jidbifmb.exe 45 PID 2556 wrote to memory of 2096 2556 Jidbifmb.exe 45 PID 2556 wrote to memory of 2096 2556 Jidbifmb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c821cc8ad9a5b1fc88f15d856dec00N.exe"C:\Users\Admin\AppData\Local\Temp\f9c821cc8ad9a5b1fc88f15d856dec00N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Igcjgk32.exeC:\Windows\system32\Igcjgk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Innbde32.exeC:\Windows\system32\Innbde32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe39⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Kqemeb32.exeC:\Windows\system32\Kqemeb32.exe41⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe44⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe45⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe46⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Loocanbe.exeC:\Windows\system32\Loocanbe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe51⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe54⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe58⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe62⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe64⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe65⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe66⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe68⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe70⤵PID:924
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe71⤵PID:2680
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe72⤵PID:344
-
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe73⤵PID:2468
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe75⤵PID:1940
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe76⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe79⤵PID:2072
-
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Nepach32.exeC:\Windows\system32\Nepach32.exe81⤵PID:1732
-
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe82⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe83⤵PID:1960
-
C:\Windows\SysWOW64\Noifmmec.exeC:\Windows\system32\Noifmmec.exe84⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe87⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Nphbfplf.exeC:\Windows\system32\Nphbfplf.exe89⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe91⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:104 -
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe95⤵PID:2992
-
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe96⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe98⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe99⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe104⤵PID:1664
-
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe110⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe112⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe113⤵PID:760
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe114⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Oomlfpdi.exeC:\Windows\system32\Oomlfpdi.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe118⤵PID:636
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe119⤵PID:1728
-
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe120⤵PID:1600
-
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-