Analysis
-
max time kernel
149s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 00:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe
-
Size
280KB
-
MD5
71e975181809196ca78e2bd30ab34733
-
SHA1
cd03d75447bd90acc74fb6bacf5ba576d8a61235
-
SHA256
b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e
-
SHA512
0feb77f39ee06e8cc5e443eccff738062ee6c6c183bfb4971d9a8027bdba42893a39d259724232e7d524ed62608d259e29ec7ef64f048d42645ef9cc0c5c49cd
-
SSDEEP
6144:8e7s++MYi/GOORjMmRUoooooooooooooooooooooooooy/G3:8eKi//OVLCooooooooooooooooooooo9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldikbhfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deedfacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahobdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keodflee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glajmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phmiimlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fondonbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cconcjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eelfedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cccgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omekgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdpjgjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjcdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgfciee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjolpkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjcekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiodliep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgjgepqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keodflee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhjghlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aokfpjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmiea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iabcbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnbic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdnihiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeihfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnoklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acplpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feppqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifoljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkhjcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgemgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdmkb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2084 Kgmkef32.exe 2828 Lcfhpf32.exe 1240 Ljbmbpkb.exe 3052 Lhjghlng.exe 2560 Mqhhbn32.exe 2408 Mnneabff.exe 2724 Mpaoojjb.exe 2384 Nfncad32.exe 2928 Nfppfcmj.exe 2976 Nbljfdoh.exe 2952 Omekgakg.exe 2380 Ofbikf32.exe 1752 Obijpgcf.exe 2168 Popkeh32.exe 668 Ppogok32.exe 2172 Pkihpi32.exe 940 Phmiimlf.exe 1956 Pddinn32.exe 1512 Ppjjcogn.exe 544 Qnoklc32.exe 580 Acplpjpj.exe 1868 Aogmdk32.exe 1636 Afqeaemk.exe 1100 Acdfki32.exe 1508 Aokfpjai.exe 2532 Bkddjkej.exe 2720 Bdoeipjh.exe 2852 Bjlnaghp.exe 2784 Biakbc32.exe 2904 Dahobdpe.exe 2644 Dihmae32.exe 2676 Ddnaonia.exe 2040 Dogbolep.exe 2316 Eiocbd32.exe 2948 Eolljk32.exe 2960 Edkahbmo.exe 1740 Eaoaafli.exe 3060 Fimclh32.exe 1472 Fcegdnna.exe 1052 Fefpfi32.exe 2160 Fondonbc.exe 2276 Fdmjmenh.exe 2304 Gocnjn32.exe 1780 Gdpfbd32.exe 1224 Goekpm32.exe 1108 Gjolpkhj.exe 936 Gcgpiq32.exe 1812 Glpdbfek.exe 324 Gjcekj32.exe 2908 Gopnca32.exe 1976 Hjfbaj32.exe 2820 Hobjia32.exe 3024 Hjhofj32.exe 2624 Hoegoqng.exe 2696 Hogddpld.exe 2200 Hedllgjk.exe 2980 Hojqjp32.exe 316 Hibebeqb.exe 1804 Ibjikk32.exe 1148 Ikbndqnc.exe 2400 Icnbic32.exe 2140 Iabcbg32.exe 584 Ifoljn32.exe 1916 Ipgpcc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2452 b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe 2452 b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe 2084 Kgmkef32.exe 2084 Kgmkef32.exe 2828 Lcfhpf32.exe 2828 Lcfhpf32.exe 1240 Ljbmbpkb.exe 1240 Ljbmbpkb.exe 3052 Lhjghlng.exe 3052 Lhjghlng.exe 2560 Mqhhbn32.exe 2560 Mqhhbn32.exe 2408 Mnneabff.exe 2408 Mnneabff.exe 2724 Mpaoojjb.exe 2724 Mpaoojjb.exe 2384 Nfncad32.exe 2384 Nfncad32.exe 2928 Nfppfcmj.exe 2928 Nfppfcmj.exe 2976 Nbljfdoh.exe 2976 Nbljfdoh.exe 2952 Omekgakg.exe 2952 Omekgakg.exe 2380 Ofbikf32.exe 2380 Ofbikf32.exe 1752 Obijpgcf.exe 1752 Obijpgcf.exe 2168 Popkeh32.exe 2168 Popkeh32.exe 668 Ppogok32.exe 668 Ppogok32.exe 2172 Pkihpi32.exe 2172 Pkihpi32.exe 940 Phmiimlf.exe 940 Phmiimlf.exe 1956 Pddinn32.exe 1956 Pddinn32.exe 1512 Ppjjcogn.exe 1512 Ppjjcogn.exe 544 Qnoklc32.exe 544 Qnoklc32.exe 580 Acplpjpj.exe 580 Acplpjpj.exe 1868 Aogmdk32.exe 1868 Aogmdk32.exe 1636 Afqeaemk.exe 1636 Afqeaemk.exe 1100 Acdfki32.exe 1100 Acdfki32.exe 1508 Aokfpjai.exe 1508 Aokfpjai.exe 1604 Bdmhcp32.exe 1604 Bdmhcp32.exe 2720 Bdoeipjh.exe 2720 Bdoeipjh.exe 2852 Bjlnaghp.exe 2852 Bjlnaghp.exe 2784 Biakbc32.exe 2784 Biakbc32.exe 2904 Dahobdpe.exe 2904 Dahobdpe.exe 2644 Dihmae32.exe 2644 Dihmae32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efdmohmm.exe Eiplecnc.exe File opened for modification C:\Windows\SysWOW64\Eelfedpa.exe Eoanij32.exe File opened for modification C:\Windows\SysWOW64\Qeglqpaj.exe Qlnghj32.exe File opened for modification C:\Windows\SysWOW64\Afqeaemk.exe Aogmdk32.exe File opened for modification C:\Windows\SysWOW64\Bfkakbpp.exe Bhgaan32.exe File created C:\Windows\SysWOW64\Hbdagfkc.dll Cqneaodd.exe File opened for modification C:\Windows\SysWOW64\Cbdkdffm.exe Cilfka32.exe File opened for modification C:\Windows\SysWOW64\Deedfacn.exe Cccgni32.exe File created C:\Windows\SysWOW64\Omekgakg.exe Nbljfdoh.exe File created C:\Windows\SysWOW64\Johlpoij.exe Jadlgjjq.exe File created C:\Windows\SysWOW64\Caldepec.dll Apgcbmha.exe File opened for modification C:\Windows\SysWOW64\Alqplmlb.exe Apjpglfn.exe File opened for modification C:\Windows\SysWOW64\Gokmnlcf.exe Ghaeaaki.exe File created C:\Windows\SysWOW64\Mbginggd.dll Acdfki32.exe File created C:\Windows\SysWOW64\Qnoklc32.exe Ppjjcogn.exe File opened for modification C:\Windows\SysWOW64\Biakbc32.exe Bjlnaghp.exe File opened for modification C:\Windows\SysWOW64\Hjfbaj32.exe Gopnca32.exe File created C:\Windows\SysWOW64\Nfighccb.dll Phhhchlp.exe File created C:\Windows\SysWOW64\Geplpfnh.exe Fkpeojha.exe File created C:\Windows\SysWOW64\Hnlhcobj.dll Hkfgnldd.exe File created C:\Windows\SysWOW64\Nnpbpemn.dll Ofbikf32.exe File opened for modification C:\Windows\SysWOW64\Ndnplk32.exe Lgjcdc32.exe File created C:\Windows\SysWOW64\Nghehm32.dll Qlnghj32.exe File created C:\Windows\SysWOW64\Pffjpg32.dll Adqbml32.exe File created C:\Windows\SysWOW64\Cbdkdffm.exe Cilfka32.exe File created C:\Windows\SysWOW64\Hgbanlfc.exe Hcdihn32.exe File created C:\Windows\SysWOW64\Mfjccdpc.dll Mpaoojjb.exe File created C:\Windows\SysWOW64\Adqbml32.exe Aodjdede.exe File created C:\Windows\SysWOW64\Eabgjeef.exe Eelfedpa.exe File created C:\Windows\SysWOW64\Hcdihn32.exe Hngppgae.exe File opened for modification C:\Windows\SysWOW64\Ddnaonia.exe Dihmae32.exe File created C:\Windows\SysWOW64\Ppjjcogn.exe Pddinn32.exe File created C:\Windows\SysWOW64\Egebiche.dll Pdnihiad.exe File created C:\Windows\SysWOW64\Amdmkb32.exe Qeihfp32.exe File created C:\Windows\SysWOW64\Dofonpnk.dll Cdgdlnop.exe File opened for modification C:\Windows\SysWOW64\Cfknjfbl.exe Ccmanjch.exe File created C:\Windows\SysWOW64\Cconcjae.exe Cfknjfbl.exe File created C:\Windows\SysWOW64\Kgmkef32.exe b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe File opened for modification C:\Windows\SysWOW64\Kblooa32.exe Kmpfgklo.exe File created C:\Windows\SysWOW64\Keodflee.exe Koelibnh.exe File opened for modification C:\Windows\SysWOW64\Qeihfp32.exe Qoopie32.exe File created C:\Windows\SysWOW64\Cdgdlnop.exe Cnmlpd32.exe File created C:\Windows\SysWOW64\Jlcffk32.dll Fkpeojha.exe File created C:\Windows\SysWOW64\Koehka32.dll Hjhofj32.exe File created C:\Windows\SysWOW64\Hpmjno32.dll Fdmjmenh.exe File opened for modification C:\Windows\SysWOW64\Ofbikf32.exe Omekgakg.exe File opened for modification C:\Windows\SysWOW64\Glpdbfek.exe Gcgpiq32.exe File created C:\Windows\SysWOW64\Qkgeifgn.dll Ibjikk32.exe File created C:\Windows\SysWOW64\Kihcakpa.exe Kgjgepqm.exe File opened for modification C:\Windows\SysWOW64\Bgfdjfkh.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Nfppfcmj.exe Nfncad32.exe File created C:\Windows\SysWOW64\Lmiggh32.dll Bdoeipjh.exe File opened for modification C:\Windows\SysWOW64\Njaoeq32.exe Ncggifep.exe File created C:\Windows\SysWOW64\Benqjobn.dll Amdmkb32.exe File opened for modification C:\Windows\SysWOW64\Dbidof32.exe Deedfacn.exe File opened for modification C:\Windows\SysWOW64\Aokfpjai.exe Acdfki32.exe File created C:\Windows\SysWOW64\Oamkpm32.dll Iabcbg32.exe File created C:\Windows\SysWOW64\Nbljfdoh.exe Nfppfcmj.exe File created C:\Windows\SysWOW64\Ofbikf32.exe Omekgakg.exe File created C:\Windows\SysWOW64\Pddinn32.exe Phmiimlf.exe File opened for modification C:\Windows\SysWOW64\Gopnca32.exe Gjcekj32.exe File opened for modification C:\Windows\SysWOW64\Icnbic32.exe Ikbndqnc.exe File opened for modification C:\Windows\SysWOW64\Nfppfcmj.exe Nfncad32.exe File opened for modification C:\Windows\SysWOW64\Kkajkoml.exe Kaieai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2032 2884 WerFault.exe 206 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdehgnqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmanjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgcncli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omekgakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goekpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdmohmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddinn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cconcjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiplecnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqeaemk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiodliep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinbglkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deedfacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkahbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoegoqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqplmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnnpbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaieai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geplpfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgcbmha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmacgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcegdnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedllgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeglqpaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnihiad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfppfcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njaoeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeaaki.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biakbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoecelol.dll" Bbdoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmfab32.dll" Cnmlpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obijpgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogddpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlgcncli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Denglpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ephhmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipapioii.dll" Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifoljn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olehbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodjdede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccmanjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geplpfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiplecnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faohlp32.dll" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimamm32.dll" Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbndfacf.dll" Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblhqf32.dll" Kpiihgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppogmake.dll" Pnodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcdgfop.dll" Pjhaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eelfedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnfeemk.dll" Gokmnlcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biakbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddnaonia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkjdkib.dll" Mqhhbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fondonbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obffpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdnine.dll" Pkihpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeihfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll" Igdndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiegacgd.dll" Pebbeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkhjcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feppqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjolpkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghehm32.dll" Qlnghj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akmgoehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effidg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2084 2452 b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe 29 PID 2452 wrote to memory of 2084 2452 b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe 29 PID 2452 wrote to memory of 2084 2452 b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe 29 PID 2452 wrote to memory of 2084 2452 b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe 29 PID 2084 wrote to memory of 2828 2084 Kgmkef32.exe 30 PID 2084 wrote to memory of 2828 2084 Kgmkef32.exe 30 PID 2084 wrote to memory of 2828 2084 Kgmkef32.exe 30 PID 2084 wrote to memory of 2828 2084 Kgmkef32.exe 30 PID 2828 wrote to memory of 1240 2828 Lcfhpf32.exe 31 PID 2828 wrote to memory of 1240 2828 Lcfhpf32.exe 31 PID 2828 wrote to memory of 1240 2828 Lcfhpf32.exe 31 PID 2828 wrote to memory of 1240 2828 Lcfhpf32.exe 31 PID 1240 wrote to memory of 3052 1240 Ljbmbpkb.exe 32 PID 1240 wrote to memory of 3052 1240 Ljbmbpkb.exe 32 PID 1240 wrote to memory of 3052 1240 Ljbmbpkb.exe 32 PID 1240 wrote to memory of 3052 1240 Ljbmbpkb.exe 32 PID 3052 wrote to memory of 2560 3052 Lhjghlng.exe 33 PID 3052 wrote to memory of 2560 3052 Lhjghlng.exe 33 PID 3052 wrote to memory of 2560 3052 Lhjghlng.exe 33 PID 3052 wrote to memory of 2560 3052 Lhjghlng.exe 33 PID 2560 wrote to memory of 2408 2560 Mqhhbn32.exe 34 PID 2560 wrote to memory of 2408 2560 Mqhhbn32.exe 34 PID 2560 wrote to memory of 2408 2560 Mqhhbn32.exe 34 PID 2560 wrote to memory of 2408 2560 Mqhhbn32.exe 34 PID 2408 wrote to memory of 2724 2408 Mnneabff.exe 35 PID 2408 wrote to memory of 2724 2408 Mnneabff.exe 35 PID 2408 wrote to memory of 2724 2408 Mnneabff.exe 35 PID 2408 wrote to memory of 2724 2408 Mnneabff.exe 35 PID 2724 wrote to memory of 2384 2724 Mpaoojjb.exe 36 PID 2724 wrote to memory of 2384 2724 Mpaoojjb.exe 36 PID 2724 wrote to memory of 2384 2724 Mpaoojjb.exe 36 PID 2724 wrote to memory of 2384 2724 Mpaoojjb.exe 36 PID 2384 wrote to memory of 2928 2384 Nfncad32.exe 37 PID 2384 wrote to memory of 2928 2384 Nfncad32.exe 37 PID 2384 wrote to memory of 2928 2384 Nfncad32.exe 37 PID 2384 wrote to memory of 2928 2384 Nfncad32.exe 37 PID 2928 wrote to memory of 2976 2928 Nfppfcmj.exe 38 PID 2928 wrote to memory of 2976 2928 Nfppfcmj.exe 38 PID 2928 wrote to memory of 2976 2928 Nfppfcmj.exe 38 PID 2928 wrote to memory of 2976 2928 Nfppfcmj.exe 38 PID 2976 wrote to memory of 2952 2976 Nbljfdoh.exe 39 PID 2976 wrote to memory of 2952 2976 Nbljfdoh.exe 39 PID 2976 wrote to memory of 2952 2976 Nbljfdoh.exe 39 PID 2976 wrote to memory of 2952 2976 Nbljfdoh.exe 39 PID 2952 wrote to memory of 2380 2952 Omekgakg.exe 40 PID 2952 wrote to memory of 2380 2952 Omekgakg.exe 40 PID 2952 wrote to memory of 2380 2952 Omekgakg.exe 40 PID 2952 wrote to memory of 2380 2952 Omekgakg.exe 40 PID 2380 wrote to memory of 1752 2380 Ofbikf32.exe 41 PID 2380 wrote to memory of 1752 2380 Ofbikf32.exe 41 PID 2380 wrote to memory of 1752 2380 Ofbikf32.exe 41 PID 2380 wrote to memory of 1752 2380 Ofbikf32.exe 41 PID 1752 wrote to memory of 2168 1752 Obijpgcf.exe 42 PID 1752 wrote to memory of 2168 1752 Obijpgcf.exe 42 PID 1752 wrote to memory of 2168 1752 Obijpgcf.exe 42 PID 1752 wrote to memory of 2168 1752 Obijpgcf.exe 42 PID 2168 wrote to memory of 668 2168 Popkeh32.exe 43 PID 2168 wrote to memory of 668 2168 Popkeh32.exe 43 PID 2168 wrote to memory of 668 2168 Popkeh32.exe 43 PID 2168 wrote to memory of 668 2168 Popkeh32.exe 43 PID 668 wrote to memory of 2172 668 Ppogok32.exe 44 PID 668 wrote to memory of 2172 668 Ppogok32.exe 44 PID 668 wrote to memory of 2172 668 Ppogok32.exe 44 PID 668 wrote to memory of 2172 668 Ppogok32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe"C:\Users\Admin\AppData\Local\Temp\b9bf2abfe0a730ea8f9b7341bd8d0cc6cf69055931849d5b49e76e697b7f279e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe27⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe39⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe40⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe42⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Gcgpiq32.exeC:\Windows\system32\Gcgpiq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe50⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe59⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe60⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Ibjikk32.exeC:\Windows\system32\Ibjikk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Icnbic32.exeC:\Windows\system32\Icnbic32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Ipgpcc32.exeC:\Windows\system32\Ipgpcc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe68⤵PID:1984
-
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Jidngh32.exeC:\Windows\system32\Jidngh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Jlgcncli.exeC:\Windows\system32\Jlgcncli.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe76⤵PID:2916
-
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe77⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Kaieai32.exeC:\Windows\system32\Kaieai32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe79⤵PID:568
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe80⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Kgjgepqm.exeC:\Windows\system32\Kgjgepqm.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe84⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe87⤵PID:2240
-
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe88⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe89⤵PID:2632
-
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe95⤵PID:3004
-
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe96⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe97⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe98⤵PID:1948
-
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe100⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe101⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe102⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe103⤵PID:2736
-
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe104⤵PID:2628
-
C:\Windows\SysWOW64\Pnodjb32.exeC:\Windows\system32\Pnodjb32.exe105⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe106⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe110⤵PID:2196
-
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe111⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe113⤵PID:856
-
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe115⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Qoopie32.exeC:\Windows\system32\Qoopie32.exe116⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe121⤵
- Drops file in System32 directory
PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-