Analysis
-
max time kernel
36s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 00:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6e4e543a715f94b08dafa437e888900N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e6e4e543a715f94b08dafa437e888900N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e6e4e543a715f94b08dafa437e888900N.exe
-
Size
111KB
-
MD5
e6e4e543a715f94b08dafa437e888900
-
SHA1
433b6ceda05a2119f9040840f749c83106ef2599
-
SHA256
a3f00414f24100823c30ee38a388b49784193f9ed8e1640981b9655baadf0317
-
SHA512
c71d2cb38870b23d7ddd5932df7e4891745890daf2146e3ff4723e8047170ceeb74667b0bff98b1ed4082de03f751745f99ac699537152cb58e1b9a286ca2aea
-
SSDEEP
3072:+7qdQThMLDaXNN1eZ2hw0v0wnJcefSXQHPTTAkvB5Ddj:+7CNDGNNYetnJfKXqPTX7DB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaddid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgjqook.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jidbifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdbcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmngof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glomllkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcgkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcamln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lckpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jakjjcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgmlmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcgapjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okijhmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opmhqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdjceb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqjfpbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcdkbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" e6e4e543a715f94b08dafa437e888900N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpoofm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaobjin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokahhac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johaalea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhalo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e6e4e543a715f94b08dafa437e888900N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmneebeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jempcgad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfilnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffkncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ganbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iofhmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nanhihno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioaobjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihnmfoli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpoppadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnncii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neekogkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okijhmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opebpdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfhcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Johaalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npcika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjhgidjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakjjcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mganfp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 Enhcnd32.exe 2184 Ffpkob32.exe 2972 Fhngkm32.exe 2992 Fnkpcd32.exe 2616 Fdehpn32.exe 2584 Fnmmidhm.exe 1700 Fdgefn32.exe 2668 Fjdnne32.exe 2604 Fmbjjp32.exe 2608 Ffkncf32.exe 2648 Fqpbpo32.exe 2088 Fjhgidjk.exe 2656 Fmgcepio.exe 572 Gfogneop.exe 2384 Gindjqnc.exe 2104 Gbfhcf32.exe 2220 Gmlmpo32.exe 332 Glomllkd.exe 972 Gbheif32.exe 2332 Ghenamai.exe 1096 Gplebjbk.exe 2356 Gnofng32.exe 1100 Ganbjb32.exe 1740 Gapoob32.exe 2588 Gekkpqnp.exe 1716 Hmgodc32.exe 1924 Habkeacd.exe 2980 Hmiljb32.exe 2716 Hpghfn32.exe 2680 Hjmmcgha.exe 2732 Hagepa32.exe 1448 Hmneebeb.exe 2032 Hplbamdf.exe 1920 Heijidbn.exe 3052 Hpoofm32.exe 3060 Ioaobjin.exe 1168 Ileoknhh.exe 3068 Iboghh32.exe 1432 Iencdc32.exe 2256 Iofhmi32.exe 760 Iaddid32.exe 2412 Idcqep32.exe 888 Ihnmfoli.exe 2228 Iagaod32.exe 2008 Ihqilnig.exe 2440 Ikoehj32.exe 1980 Iokahhac.exe 1744 Iainddpg.exe 2040 Idgjqook.exe 2148 Ihcfan32.exe 2840 Jkabmi32.exe 2704 Jidbifmb.exe 2844 Jakjjcnd.exe 2004 Jpnkep32.exe 1420 Jcmgal32.exe 1860 Jjgonf32.exe 2908 Jpqgkpcl.exe 660 Jdlclo32.exe 1804 Jgkphj32.exe 1892 Jempcgad.exe 2232 Jndhddaf.exe 2464 Jpcdqpqj.exe 1520 Jgmlmj32.exe 1412 Jfpmifoa.exe -
Loads dropped DLL 64 IoCs
pid Process 1644 e6e4e543a715f94b08dafa437e888900N.exe 1644 e6e4e543a715f94b08dafa437e888900N.exe 2272 Enhcnd32.exe 2272 Enhcnd32.exe 2184 Ffpkob32.exe 2184 Ffpkob32.exe 2972 Fhngkm32.exe 2972 Fhngkm32.exe 2992 Fnkpcd32.exe 2992 Fnkpcd32.exe 2616 Fdehpn32.exe 2616 Fdehpn32.exe 2584 Fnmmidhm.exe 2584 Fnmmidhm.exe 1700 Fdgefn32.exe 1700 Fdgefn32.exe 2668 Fjdnne32.exe 2668 Fjdnne32.exe 2604 Fmbjjp32.exe 2604 Fmbjjp32.exe 2608 Ffkncf32.exe 2608 Ffkncf32.exe 2648 Fqpbpo32.exe 2648 Fqpbpo32.exe 2088 Fjhgidjk.exe 2088 Fjhgidjk.exe 2656 Fmgcepio.exe 2656 Fmgcepio.exe 572 Gfogneop.exe 572 Gfogneop.exe 2384 Gindjqnc.exe 2384 Gindjqnc.exe 2104 Gbfhcf32.exe 2104 Gbfhcf32.exe 2220 Gmlmpo32.exe 2220 Gmlmpo32.exe 332 Glomllkd.exe 332 Glomllkd.exe 972 Gbheif32.exe 972 Gbheif32.exe 2332 Ghenamai.exe 2332 Ghenamai.exe 1096 Gplebjbk.exe 1096 Gplebjbk.exe 2356 Gnofng32.exe 2356 Gnofng32.exe 1100 Ganbjb32.exe 1100 Ganbjb32.exe 1740 Gapoob32.exe 1740 Gapoob32.exe 2588 Gekkpqnp.exe 2588 Gekkpqnp.exe 1716 Hmgodc32.exe 1716 Hmgodc32.exe 1924 Habkeacd.exe 1924 Habkeacd.exe 2980 Hmiljb32.exe 2980 Hmiljb32.exe 2716 Hpghfn32.exe 2716 Hpghfn32.exe 2680 Hjmmcgha.exe 2680 Hjmmcgha.exe 2732 Hagepa32.exe 2732 Hagepa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbijcgbc.exe Jkobgm32.exe File opened for modification C:\Windows\SysWOW64\Majcoepi.exe Mmngof32.exe File created C:\Windows\SysWOW64\Hipdajoc.dll Nfmahkhh.exe File created C:\Windows\SysWOW64\Ogddhmdl.exe Oomlfpdi.exe File created C:\Windows\SysWOW64\Jcejbh32.dll Fdehpn32.exe File opened for modification C:\Windows\SysWOW64\Glomllkd.exe Gmlmpo32.exe File created C:\Windows\SysWOW64\Ockdmn32.exe Opmhqc32.exe File opened for modification C:\Windows\SysWOW64\Nhakecld.exe Nebnigmp.exe File created C:\Windows\SysWOW64\Bhgffm32.dll Hjmmcgha.exe File opened for modification C:\Windows\SysWOW64\Knddcg32.exe Kkfhglen.exe File created C:\Windows\SysWOW64\Iddacacc.dll Kkaolm32.exe File created C:\Windows\SysWOW64\Mffkgl32.exe Majcoepi.exe File created C:\Windows\SysWOW64\Mekmbk32.dll Ogmngn32.exe File created C:\Windows\SysWOW64\Johaalea.exe Jpeafo32.exe File created C:\Windows\SysWOW64\Eaqehcbj.dll Jhqeka32.exe File opened for modification C:\Windows\SysWOW64\Jjgonf32.exe Jcmgal32.exe File created C:\Windows\SysWOW64\Ckkfef32.dll Jcmgal32.exe File created C:\Windows\SysWOW64\Onlooh32.exe Oeegnj32.exe File created C:\Windows\SysWOW64\Edpbkipf.dll Iboghh32.exe File created C:\Windows\SysWOW64\Ihnmfoli.exe Idcqep32.exe File created C:\Windows\SysWOW64\Okfmbm32.exe Ngkaaolf.exe File opened for modification C:\Windows\SysWOW64\Iaddid32.exe Iofhmi32.exe File opened for modification C:\Windows\SysWOW64\Lqjfpbmm.exe Liboodmk.exe File opened for modification C:\Windows\SysWOW64\Mnncii32.exe Mffkgl32.exe File opened for modification C:\Windows\SysWOW64\Npcika32.exe Mmemoe32.exe File created C:\Windows\SysWOW64\Opcejd32.exe Omeini32.exe File opened for modification C:\Windows\SysWOW64\Gindjqnc.exe Gfogneop.exe File created C:\Windows\SysWOW64\Lbbiii32.exe Lnfmhj32.exe File created C:\Windows\SysWOW64\Kmnnepij.dll Mlmjgnaa.exe File opened for modification C:\Windows\SysWOW64\Mhfhaoec.exe Mpoppadq.exe File created C:\Windows\SysWOW64\Fdgefn32.exe Fnmmidhm.exe File created C:\Windows\SysWOW64\Iagaod32.exe Ihnmfoli.exe File created C:\Windows\SysWOW64\Qkgjae32.dll Hpoofm32.exe File created C:\Windows\SysWOW64\Jgkphj32.exe Jdlclo32.exe File opened for modification C:\Windows\SysWOW64\Nlapaapg.exe Nhfdqb32.exe File created C:\Windows\SysWOW64\Opjlkc32.exe Onlooh32.exe File opened for modification C:\Windows\SysWOW64\Fnkpcd32.exe Fhngkm32.exe File created C:\Windows\SysWOW64\Oqagbp32.dll Hagepa32.exe File opened for modification C:\Windows\SysWOW64\Iboghh32.exe Ileoknhh.exe File created C:\Windows\SysWOW64\Jcmgal32.exe Jpnkep32.exe File created C:\Windows\SysWOW64\Jgmlmj32.exe Jpcdqpqj.exe File opened for modification C:\Windows\SysWOW64\Kkckblgq.exe Kheofahm.exe File created C:\Windows\SysWOW64\Okkfmmqj.exe Ocdnloph.exe File created C:\Windows\SysWOW64\Cpjhfd32.dll Fdgefn32.exe File created C:\Windows\SysWOW64\Heijidbn.exe Hplbamdf.exe File created C:\Windows\SysWOW64\Ihhkho32.dll Fmgcepio.exe File created C:\Windows\SysWOW64\Pmjoacao.dll Nokcbm32.exe File created C:\Windows\SysWOW64\Bdggbp32.dll Ihcfan32.exe File created C:\Windows\SysWOW64\Pfgmna32.dll Mdmhfpkg.exe File created C:\Windows\SysWOW64\Hmgodc32.exe Gekkpqnp.exe File opened for modification C:\Windows\SysWOW64\Magfjebk.exe Mbdfni32.exe File created C:\Windows\SysWOW64\Jakjjcnd.exe Jidbifmb.exe File created C:\Windows\SysWOW64\Kbncof32.exe Kkckblgq.exe File created C:\Windows\SysWOW64\Ekhfpeai.dll Lckpbm32.exe File created C:\Windows\SysWOW64\Edljdb32.dll Nlapaapg.exe File created C:\Windows\SysWOW64\Mdhhbnhi.dll Iagaod32.exe File created C:\Windows\SysWOW64\Iijfeeok.dll Iokahhac.exe File created C:\Windows\SysWOW64\Ccembbcj.dll Jempcgad.exe File opened for modification C:\Windows\SysWOW64\Kdgfpbaf.exe Jbijcgbc.exe File created C:\Windows\SysWOW64\Kheofahm.exe Kdjceb32.exe File opened for modification C:\Windows\SysWOW64\Nfmahkhh.exe Npcika32.exe File opened for modification C:\Windows\SysWOW64\Omeini32.exe Okfmbm32.exe File created C:\Windows\SysWOW64\Idhcadad.dll Hmgodc32.exe File created C:\Windows\SysWOW64\Joapmk32.dll Jdlclo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1536 1712 WerFault.exe 199 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liboodmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanhihno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmmcgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liekddkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfhaoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npffaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omeini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gindjqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpghfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokahhac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johaalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbncof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magfjebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagepa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbfplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcgkbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfkaone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeegnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidbifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebnigmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqpbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekkpqnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmjgnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noplmlok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhqeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkobgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfilnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpoppadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnmfoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbamdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgfpbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdqifajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnncii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngaig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgmbfej.dll" Gindjqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcflp32.dll" Jgkphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmngof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegobiom.dll" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghhnb.dll" Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndcenao.dll" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifadmn32.dll" Knddcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeodd32.dll" Liboodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmelhc32.dll" Lijepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfamj32.dll" Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lginle32.dll" Lmlnjcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbfhcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnfmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doegcd32.dll" Nbilhkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkimple.dll" Gekkpqnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhfpeai.dll" Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnnepij.dll" Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbofhpaj.dll" Npcika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcnifll.dll" Okkfmmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjhfd32.dll" Fdgefn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iencdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpcdqpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mffkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnmbcbg.dll" Habkeacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfkhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlmjgnaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmbjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ganbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjddnl32.dll" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmcpjfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkbcgnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlapaapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 e6e4e543a715f94b08dafa437e888900N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmff32.dll" Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mljnaocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcipdg32.dll" Ollcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aledmn32.dll" Ffkncf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iaddid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdhpcc.dll" Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neekogkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpghfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iainddpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdehpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbijcgbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidnidah.dll" Onlooh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmlmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgmggec.dll" Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madikm32.dll" Npffaq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2272 1644 e6e4e543a715f94b08dafa437e888900N.exe 30 PID 1644 wrote to memory of 2272 1644 e6e4e543a715f94b08dafa437e888900N.exe 30 PID 1644 wrote to memory of 2272 1644 e6e4e543a715f94b08dafa437e888900N.exe 30 PID 1644 wrote to memory of 2272 1644 e6e4e543a715f94b08dafa437e888900N.exe 30 PID 2272 wrote to memory of 2184 2272 Enhcnd32.exe 31 PID 2272 wrote to memory of 2184 2272 Enhcnd32.exe 31 PID 2272 wrote to memory of 2184 2272 Enhcnd32.exe 31 PID 2272 wrote to memory of 2184 2272 Enhcnd32.exe 31 PID 2184 wrote to memory of 2972 2184 Ffpkob32.exe 32 PID 2184 wrote to memory of 2972 2184 Ffpkob32.exe 32 PID 2184 wrote to memory of 2972 2184 Ffpkob32.exe 32 PID 2184 wrote to memory of 2972 2184 Ffpkob32.exe 32 PID 2972 wrote to memory of 2992 2972 Fhngkm32.exe 33 PID 2972 wrote to memory of 2992 2972 Fhngkm32.exe 33 PID 2972 wrote to memory of 2992 2972 Fhngkm32.exe 33 PID 2972 wrote to memory of 2992 2972 Fhngkm32.exe 33 PID 2992 wrote to memory of 2616 2992 Fnkpcd32.exe 34 PID 2992 wrote to memory of 2616 2992 Fnkpcd32.exe 34 PID 2992 wrote to memory of 2616 2992 Fnkpcd32.exe 34 PID 2992 wrote to memory of 2616 2992 Fnkpcd32.exe 34 PID 2616 wrote to memory of 2584 2616 Fdehpn32.exe 35 PID 2616 wrote to memory of 2584 2616 Fdehpn32.exe 35 PID 2616 wrote to memory of 2584 2616 Fdehpn32.exe 35 PID 2616 wrote to memory of 2584 2616 Fdehpn32.exe 35 PID 2584 wrote to memory of 1700 2584 Fnmmidhm.exe 36 PID 2584 wrote to memory of 1700 2584 Fnmmidhm.exe 36 PID 2584 wrote to memory of 1700 2584 Fnmmidhm.exe 36 PID 2584 wrote to memory of 1700 2584 Fnmmidhm.exe 36 PID 1700 wrote to memory of 2668 1700 Fdgefn32.exe 37 PID 1700 wrote to memory of 2668 1700 Fdgefn32.exe 37 PID 1700 wrote to memory of 2668 1700 Fdgefn32.exe 37 PID 1700 wrote to memory of 2668 1700 Fdgefn32.exe 37 PID 2668 wrote to memory of 2604 2668 Fjdnne32.exe 38 PID 2668 wrote to memory of 2604 2668 Fjdnne32.exe 38 PID 2668 wrote to memory of 2604 2668 Fjdnne32.exe 38 PID 2668 wrote to memory of 2604 2668 Fjdnne32.exe 38 PID 2604 wrote to memory of 2608 2604 Fmbjjp32.exe 39 PID 2604 wrote to memory of 2608 2604 Fmbjjp32.exe 39 PID 2604 wrote to memory of 2608 2604 Fmbjjp32.exe 39 PID 2604 wrote to memory of 2608 2604 Fmbjjp32.exe 39 PID 2608 wrote to memory of 2648 2608 Ffkncf32.exe 40 PID 2608 wrote to memory of 2648 2608 Ffkncf32.exe 40 PID 2608 wrote to memory of 2648 2608 Ffkncf32.exe 40 PID 2608 wrote to memory of 2648 2608 Ffkncf32.exe 40 PID 2648 wrote to memory of 2088 2648 Fqpbpo32.exe 41 PID 2648 wrote to memory of 2088 2648 Fqpbpo32.exe 41 PID 2648 wrote to memory of 2088 2648 Fqpbpo32.exe 41 PID 2648 wrote to memory of 2088 2648 Fqpbpo32.exe 41 PID 2088 wrote to memory of 2656 2088 Fjhgidjk.exe 42 PID 2088 wrote to memory of 2656 2088 Fjhgidjk.exe 42 PID 2088 wrote to memory of 2656 2088 Fjhgidjk.exe 42 PID 2088 wrote to memory of 2656 2088 Fjhgidjk.exe 42 PID 2656 wrote to memory of 572 2656 Fmgcepio.exe 43 PID 2656 wrote to memory of 572 2656 Fmgcepio.exe 43 PID 2656 wrote to memory of 572 2656 Fmgcepio.exe 43 PID 2656 wrote to memory of 572 2656 Fmgcepio.exe 43 PID 572 wrote to memory of 2384 572 Gfogneop.exe 44 PID 572 wrote to memory of 2384 572 Gfogneop.exe 44 PID 572 wrote to memory of 2384 572 Gfogneop.exe 44 PID 572 wrote to memory of 2384 572 Gfogneop.exe 44 PID 2384 wrote to memory of 2104 2384 Gindjqnc.exe 45 PID 2384 wrote to memory of 2104 2384 Gindjqnc.exe 45 PID 2384 wrote to memory of 2104 2384 Gindjqnc.exe 45 PID 2384 wrote to memory of 2104 2384 Gindjqnc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e4e543a715f94b08dafa437e888900N.exe"C:\Users\Admin\AppData\Local\Temp\e6e4e543a715f94b08dafa437e888900N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Fqpbpo32.exeC:\Windows\system32\Fqpbpo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe47⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe52⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe62⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe66⤵PID:1684
-
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe69⤵PID:2848
-
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Jbijcgbc.exeC:\Windows\system32\Jbijcgbc.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe73⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe74⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe76⤵PID:2660
-
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe78⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe79⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe81⤵PID:2580
-
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe82⤵PID:1176
-
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe85⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Kgmilmkb.exeC:\Windows\system32\Kgmilmkb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe88⤵PID:2288
-
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe90⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe93⤵PID:2200
-
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe94⤵PID:1008
-
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe98⤵PID:2036
-
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe99⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe100⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe105⤵PID:1916
-
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe107⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe110⤵PID:2516
-
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe111⤵PID:2592
-
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe113⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Mbdfni32.exeC:\Windows\system32\Mbdfni32.exe114⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe115⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe119⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-