Analysis
-
max time kernel
65s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 21:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c8078c3b238e9572d99fd91b396fb50N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8c8078c3b238e9572d99fd91b396fb50N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8c8078c3b238e9572d99fd91b396fb50N.exe
-
Size
128KB
-
MD5
8c8078c3b238e9572d99fd91b396fb50
-
SHA1
f3b65d2de63a1f29218c0412ffd4828f0680eba1
-
SHA256
2802d8c39a048485b621136dc9ebf8a8d0d6e83231f3741fc82ef20b714cea48
-
SHA512
51f001493bccd10d0b0a64822d4bb74978175c5399220a01da9e5e2f9ad0e47369b7bc2704915420ee0e299b505b6264c3da24b93f4a10effb01b9e51ba2ad61
-
SSDEEP
3072:yG5f0RdObtU4Hxz3zMQJ661r4xhtXPmW2wS7IrHrYj:FwdDK1ra/mHwMOHm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffkhlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpdeghgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgocadqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmbliip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnicgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiahfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhabemgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifhacfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacenp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeadmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhoeqide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmehd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnohc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpadek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlppgihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjgnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnomgqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojmigpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acdhen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jboapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfpdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cckhlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqojpqdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhcmkkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobhkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhbop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acabmpem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqgmdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feaeni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphlokep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhcfiogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eonhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbpmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didiclbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gabpco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgmonga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfbnmckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqagddge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noecjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfanlpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmglpjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kamooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqpejh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqllnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijgcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bldbococ.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhahigb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppogahko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgdagelg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgillijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbpbklpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdokjdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfajdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbcmnklf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhcjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcjceam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klnljghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edpnfjap.exe -
Executes dropped EXE 64 IoCs
pid Process 2456 Kckeno32.exe 2196 Khgnff32.exe 2752 Kcmbco32.exe 2888 Lhodgebh.exe 2788 Lnklol32.exe 2652 Lbieejff.exe 764 Lmcfeh32.exe 2152 Mqqolfik.exe 2868 Mfpdim32.exe 1296 Mbgdonkd.exe 1800 Mgfjld32.exe 2948 Naqkki32.exe 2044 Nmglpjak.exe 2340 Nnghjm32.exe 2136 Ndfmgdeb.exe 2344 Oicfpkci.exe 2772 Omqnfiip.exe 1352 Oodhca32.exe 920 Okkhhb32.exe 2036 Phaegfpg.exe 2348 Pkboiamh.exe 1664 Ppogahko.exe 2296 Pcbmhb32.exe 952 Qhoeqide.exe 1292 Qcgfcbbh.exe 2380 Aomghchl.exe 2240 Agikmeeg.exe 2480 Anepooja.exe 2684 Agmehd32.exe 2892 Ammjekmg.exe 2776 Bomcgfjh.exe 2988 Bkdclgpl.exe 2516 Bkfqbgni.exe 2088 Cgdggg32.exe 2160 Cckhlhcj.exe 1072 Ccmdbg32.exe 1480 Cpdeghgk.exe 2500 Dmhfpmee.exe 1564 Deckeo32.exe 2708 Dlppgihj.exe 2352 Dhimaill.exe 2112 Edpnfjap.exe 2188 Emhbop32.exe 2100 Eklbid32.exe 2096 Eddgaj32.exe 2032 Eiapjq32.exe 668 Eonhbg32.exe 1452 Eiclop32.exe 3012 Eaoadb32.exe 876 Fldeakgp.exe 2208 Fkibbh32.exe 2476 Fhmblljb.exe 2768 Fgbpmh32.exe 3056 Fdfpfm32.exe 2700 Fkphcg32.exe 2968 Gqmqkn32.exe 2092 Gnaadb32.exe 860 Ggifmgia.exe 900 Gmfnen32.exe 1576 Gbcgne32.exe 1548 Gcbchhmc.exe 1848 Goidmibg.exe 3036 Hiahfo32.exe 1652 Hbjmodph.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 8c8078c3b238e9572d99fd91b396fb50N.exe 1996 8c8078c3b238e9572d99fd91b396fb50N.exe 2456 Kckeno32.exe 2456 Kckeno32.exe 2196 Khgnff32.exe 2196 Khgnff32.exe 2752 Kcmbco32.exe 2752 Kcmbco32.exe 2888 Lhodgebh.exe 2888 Lhodgebh.exe 2788 Lnklol32.exe 2788 Lnklol32.exe 2652 Lbieejff.exe 2652 Lbieejff.exe 764 Lmcfeh32.exe 764 Lmcfeh32.exe 2152 Mqqolfik.exe 2152 Mqqolfik.exe 2868 Mfpdim32.exe 2868 Mfpdim32.exe 1296 Mbgdonkd.exe 1296 Mbgdonkd.exe 1800 Mgfjld32.exe 1800 Mgfjld32.exe 2948 Naqkki32.exe 2948 Naqkki32.exe 2044 Nmglpjak.exe 2044 Nmglpjak.exe 2340 Nnghjm32.exe 2340 Nnghjm32.exe 2136 Ndfmgdeb.exe 2136 Ndfmgdeb.exe 2344 Oicfpkci.exe 2344 Oicfpkci.exe 2772 Omqnfiip.exe 2772 Omqnfiip.exe 1352 Oodhca32.exe 1352 Oodhca32.exe 920 Okkhhb32.exe 920 Okkhhb32.exe 2036 Phaegfpg.exe 2036 Phaegfpg.exe 2348 Pkboiamh.exe 2348 Pkboiamh.exe 1664 Ppogahko.exe 1664 Ppogahko.exe 2296 Pcbmhb32.exe 2296 Pcbmhb32.exe 952 Qhoeqide.exe 952 Qhoeqide.exe 1292 Qcgfcbbh.exe 1292 Qcgfcbbh.exe 2380 Aomghchl.exe 2380 Aomghchl.exe 2240 Agikmeeg.exe 2240 Agikmeeg.exe 2480 Anepooja.exe 2480 Anepooja.exe 2684 Agmehd32.exe 2684 Agmehd32.exe 2892 Ammjekmg.exe 2892 Ammjekmg.exe 2776 Bomcgfjh.exe 2776 Bomcgfjh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ojckmm32.exe Oiboedpn.exe File created C:\Windows\SysWOW64\Bnclge32.dll Ojfhblci.exe File created C:\Windows\SysWOW64\Qofjmnji.exe Plgmabke.exe File created C:\Windows\SysWOW64\Oaecne32.exe Oflbmg32.exe File created C:\Windows\SysWOW64\Lopmea32.dll Fbnpfnfa.exe File created C:\Windows\SysWOW64\Nbcmnklf.exe Nmgeedno.exe File created C:\Windows\SysWOW64\Dbijfbdg.dll Jiecdn32.exe File created C:\Windows\SysWOW64\Phgjnm32.exe Pbhepfbq.exe File opened for modification C:\Windows\SysWOW64\Gmfnen32.exe Ggifmgia.exe File created C:\Windows\SysWOW64\Gojpmapo.dll Ccmdbg32.exe File created C:\Windows\SysWOW64\Icgphnbc.dll Cpdeghgk.exe File created C:\Windows\SysWOW64\Gqmqkn32.exe Fkphcg32.exe File created C:\Windows\SysWOW64\Gooealak.dll Jdnkamhm.exe File opened for modification C:\Windows\SysWOW64\Opgjfb32.exe Ojjanlod.exe File opened for modification C:\Windows\SysWOW64\Ddjmaebi.exe Didiclbc.exe File created C:\Windows\SysWOW64\Igaapiqe.exe Hbdihbbn.exe File created C:\Windows\SysWOW64\Kckeno32.exe 8c8078c3b238e9572d99fd91b396fb50N.exe File opened for modification C:\Windows\SysWOW64\Hjgnhf32.exe Hqojpqdp.exe File opened for modification C:\Windows\SysWOW64\Omddohbm.exe Ojfhblci.exe File created C:\Windows\SysWOW64\Kfpmfgpn.exe Kacenp32.exe File created C:\Windows\SysWOW64\Damjhhne.exe Dgdfocge.exe File created C:\Windows\SysWOW64\Eempcfbi.exe Eldkkali.exe File opened for modification C:\Windows\SysWOW64\Jifmgman.exe Jcidofcf.exe File opened for modification C:\Windows\SysWOW64\Pkboiamh.exe Phaegfpg.exe File created C:\Windows\SysWOW64\Lkqkdjbe.dll Pplcabif.exe File opened for modification C:\Windows\SysWOW64\Mgfjld32.exe Mbgdonkd.exe File created C:\Windows\SysWOW64\Hgfnbp32.dll Oodhca32.exe File created C:\Windows\SysWOW64\Cgdggg32.exe Bkfqbgni.exe File created C:\Windows\SysWOW64\Hhohdn32.dll Lfjipe32.exe File created C:\Windows\SysWOW64\Mklhpfho.exe Mgoojgai.exe File opened for modification C:\Windows\SysWOW64\Oicfpkci.exe Ndfmgdeb.exe File created C:\Windows\SysWOW64\Klkmkoce.exe Kbchbi32.exe File created C:\Windows\SysWOW64\Dgdfocge.exe Dmkeoekf.exe File created C:\Windows\SysWOW64\Gcceqa32.exe Gndpcj32.exe File created C:\Windows\SysWOW64\Jmoijc32.exe Jhbaam32.exe File opened for modification C:\Windows\SysWOW64\Fgbpmh32.exe Fhmblljb.exe File created C:\Windows\SysWOW64\Hqojpqdp.exe Hggegknp.exe File created C:\Windows\SysWOW64\Mqfajdpe.exe Mdmdpd32.exe File created C:\Windows\SysWOW64\Kfbjlgnk.exe Kmjeca32.exe File created C:\Windows\SysWOW64\Anobknbi.dll Dlboeanl.exe File created C:\Windows\SysWOW64\Nnnbmk32.dll Fdgboe32.exe File created C:\Windows\SysWOW64\Eieonq32.dll Hnapln32.exe File opened for modification C:\Windows\SysWOW64\Mqqolfik.exe Lmcfeh32.exe File created C:\Windows\SysWOW64\Magdnija.dll Bkdokjdd.exe File created C:\Windows\SysWOW64\Dcjdnp32.dll Gcbchhmc.exe File created C:\Windows\SysWOW64\Gmeqepdc.dll Eiclop32.exe File created C:\Windows\SysWOW64\Mgillijo.exe Maldcblg.exe File opened for modification C:\Windows\SysWOW64\Oodhca32.exe Omqnfiip.exe File opened for modification C:\Windows\SysWOW64\Keicbcqp.exe Kmnonqce.exe File created C:\Windows\SysWOW64\Fajmoa32.dll Bjamhh32.exe File created C:\Windows\SysWOW64\Paobhd32.dll Mgoojgai.exe File created C:\Windows\SysWOW64\Dkbpbi32.dll Nqlmnldd.exe File created C:\Windows\SysWOW64\Cfagmn32.exe Cmibdh32.exe File created C:\Windows\SysWOW64\Mcmiqdnj.exe Mhgeckoc.exe File opened for modification C:\Windows\SysWOW64\Jmoijc32.exe Jhbaam32.exe File opened for modification C:\Windows\SysWOW64\Mknbmm32.exe Mddjpbgl.exe File created C:\Windows\SysWOW64\Qqjcoo32.dll Laenccbo.exe File created C:\Windows\SysWOW64\Ndfmgdeb.exe Nnghjm32.exe File opened for modification C:\Windows\SysWOW64\Gbcgne32.exe Gmfnen32.exe File opened for modification C:\Windows\SysWOW64\Ihinkn32.exe Ifhacfhj.exe File opened for modification C:\Windows\SysWOW64\Nfhcmkkg.exe Mmpodedg.exe File created C:\Windows\SysWOW64\Hgjdecca.exe Hnapln32.exe File created C:\Windows\SysWOW64\Eklbid32.exe Emhbop32.exe File created C:\Windows\SysWOW64\Pnicgi32.exe Oaecne32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2684 2752 WerFault.exe 366 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiimmok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjllqke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bciaqnje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcidofcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjmodph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaqoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokapipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahijpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didiclbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feblho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldkkali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhoeqide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjpmmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhacfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnkamhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddjpbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opempcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edljfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgmdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naqkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkibbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcggjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcjceam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcflkdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoojgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noecjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfnlejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfnpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agngqmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c8078c3b238e9572d99fd91b396fb50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfajdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjidneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkmkoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckklfoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbchbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkmjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmoke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhnede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikjcikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojmigpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnpfnfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imccco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnklol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbieejff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaqhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbmhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkfqbgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddohbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhehlag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdjbcim.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phdden32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdfoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jigijb32.dll" Aillbbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidfhd32.dll" Jkegigal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opempcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnijemg.dll" Afmack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqpejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kacenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lenmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjamhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adeadmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhqc32.dll" Anepooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiaagm32.dll" Jfgnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkegigal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooealak.dll" Jdnkamhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnaadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahijpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggbclj32.dll" Mofnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkphcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaaik32.dll" Lcjkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojoeae32.dll" Mknbmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benolo32.dll" Mbgdonkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqfajdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbdihbbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iidccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpbnijic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjhqmni.dll" Bokapipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmdgdnq.dll" Gqmqkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkdclgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgdggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfbnmckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbqjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbmomim.dll" Cjcflkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cckjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhoeqide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kllodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicbeq32.dll" Hmhgjahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edopja32.dll" Kckeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Colhlcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpmajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objqbjdf.dll" Nbcmnklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfnhcami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoklean.dll" Nmohjopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgdfocge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eidohiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdokjdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhbaam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqgmdkgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbhepfbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilicgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjgnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggifmgia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldhcjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdflopoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppogahko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdgaj32.dll" Hiahfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akbmqmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqojpqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndjpoaa.dll" Ijodiedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klkmkoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkmkp32.dll" Lpbnijic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2456 1996 8c8078c3b238e9572d99fd91b396fb50N.exe 29 PID 1996 wrote to memory of 2456 1996 8c8078c3b238e9572d99fd91b396fb50N.exe 29 PID 1996 wrote to memory of 2456 1996 8c8078c3b238e9572d99fd91b396fb50N.exe 29 PID 1996 wrote to memory of 2456 1996 8c8078c3b238e9572d99fd91b396fb50N.exe 29 PID 2456 wrote to memory of 2196 2456 Kckeno32.exe 30 PID 2456 wrote to memory of 2196 2456 Kckeno32.exe 30 PID 2456 wrote to memory of 2196 2456 Kckeno32.exe 30 PID 2456 wrote to memory of 2196 2456 Kckeno32.exe 30 PID 2196 wrote to memory of 2752 2196 Khgnff32.exe 31 PID 2196 wrote to memory of 2752 2196 Khgnff32.exe 31 PID 2196 wrote to memory of 2752 2196 Khgnff32.exe 31 PID 2196 wrote to memory of 2752 2196 Khgnff32.exe 31 PID 2752 wrote to memory of 2888 2752 Kcmbco32.exe 32 PID 2752 wrote to memory of 2888 2752 Kcmbco32.exe 32 PID 2752 wrote to memory of 2888 2752 Kcmbco32.exe 32 PID 2752 wrote to memory of 2888 2752 Kcmbco32.exe 32 PID 2888 wrote to memory of 2788 2888 Lhodgebh.exe 33 PID 2888 wrote to memory of 2788 2888 Lhodgebh.exe 33 PID 2888 wrote to memory of 2788 2888 Lhodgebh.exe 33 PID 2888 wrote to memory of 2788 2888 Lhodgebh.exe 33 PID 2788 wrote to memory of 2652 2788 Lnklol32.exe 34 PID 2788 wrote to memory of 2652 2788 Lnklol32.exe 34 PID 2788 wrote to memory of 2652 2788 Lnklol32.exe 34 PID 2788 wrote to memory of 2652 2788 Lnklol32.exe 34 PID 2652 wrote to memory of 764 2652 Lbieejff.exe 35 PID 2652 wrote to memory of 764 2652 Lbieejff.exe 35 PID 2652 wrote to memory of 764 2652 Lbieejff.exe 35 PID 2652 wrote to memory of 764 2652 Lbieejff.exe 35 PID 764 wrote to memory of 2152 764 Lmcfeh32.exe 36 PID 764 wrote to memory of 2152 764 Lmcfeh32.exe 36 PID 764 wrote to memory of 2152 764 Lmcfeh32.exe 36 PID 764 wrote to memory of 2152 764 Lmcfeh32.exe 36 PID 2152 wrote to memory of 2868 2152 Mqqolfik.exe 37 PID 2152 wrote to memory of 2868 2152 Mqqolfik.exe 37 PID 2152 wrote to memory of 2868 2152 Mqqolfik.exe 37 PID 2152 wrote to memory of 2868 2152 Mqqolfik.exe 37 PID 2868 wrote to memory of 1296 2868 Mfpdim32.exe 38 PID 2868 wrote to memory of 1296 2868 Mfpdim32.exe 38 PID 2868 wrote to memory of 1296 2868 Mfpdim32.exe 38 PID 2868 wrote to memory of 1296 2868 Mfpdim32.exe 38 PID 1296 wrote to memory of 1800 1296 Mbgdonkd.exe 39 PID 1296 wrote to memory of 1800 1296 Mbgdonkd.exe 39 PID 1296 wrote to memory of 1800 1296 Mbgdonkd.exe 39 PID 1296 wrote to memory of 1800 1296 Mbgdonkd.exe 39 PID 1800 wrote to memory of 2948 1800 Mgfjld32.exe 40 PID 1800 wrote to memory of 2948 1800 Mgfjld32.exe 40 PID 1800 wrote to memory of 2948 1800 Mgfjld32.exe 40 PID 1800 wrote to memory of 2948 1800 Mgfjld32.exe 40 PID 2948 wrote to memory of 2044 2948 Naqkki32.exe 41 PID 2948 wrote to memory of 2044 2948 Naqkki32.exe 41 PID 2948 wrote to memory of 2044 2948 Naqkki32.exe 41 PID 2948 wrote to memory of 2044 2948 Naqkki32.exe 41 PID 2044 wrote to memory of 2340 2044 Nmglpjak.exe 42 PID 2044 wrote to memory of 2340 2044 Nmglpjak.exe 42 PID 2044 wrote to memory of 2340 2044 Nmglpjak.exe 42 PID 2044 wrote to memory of 2340 2044 Nmglpjak.exe 42 PID 2340 wrote to memory of 2136 2340 Nnghjm32.exe 43 PID 2340 wrote to memory of 2136 2340 Nnghjm32.exe 43 PID 2340 wrote to memory of 2136 2340 Nnghjm32.exe 43 PID 2340 wrote to memory of 2136 2340 Nnghjm32.exe 43 PID 2136 wrote to memory of 2344 2136 Ndfmgdeb.exe 44 PID 2136 wrote to memory of 2344 2136 Ndfmgdeb.exe 44 PID 2136 wrote to memory of 2344 2136 Ndfmgdeb.exe 44 PID 2136 wrote to memory of 2344 2136 Ndfmgdeb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c8078c3b238e9572d99fd91b396fb50N.exe"C:\Users\Admin\AppData\Local\Temp\8c8078c3b238e9572d99fd91b396fb50N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Kckeno32.exeC:\Windows\system32\Kckeno32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Khgnff32.exeC:\Windows\system32\Khgnff32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kcmbco32.exeC:\Windows\system32\Kcmbco32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Lhodgebh.exeC:\Windows\system32\Lhodgebh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Lnklol32.exeC:\Windows\system32\Lnklol32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Lbieejff.exeC:\Windows\system32\Lbieejff.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lmcfeh32.exeC:\Windows\system32\Lmcfeh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Mqqolfik.exeC:\Windows\system32\Mqqolfik.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Mfpdim32.exeC:\Windows\system32\Mfpdim32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Mgfjld32.exeC:\Windows\system32\Mgfjld32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Naqkki32.exeC:\Windows\system32\Naqkki32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Nmglpjak.exeC:\Windows\system32\Nmglpjak.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Nnghjm32.exeC:\Windows\system32\Nnghjm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ndfmgdeb.exeC:\Windows\system32\Ndfmgdeb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Oicfpkci.exeC:\Windows\system32\Oicfpkci.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Omqnfiip.exeC:\Windows\system32\Omqnfiip.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Phaegfpg.exeC:\Windows\system32\Phaegfpg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Ppogahko.exeC:\Windows\system32\Ppogahko.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Aomghchl.exeC:\Windows\system32\Aomghchl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Ammjekmg.exeC:\Windows\system32\Ammjekmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Bomcgfjh.exeC:\Windows\system32\Bomcgfjh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Bkdclgpl.exeC:\Windows\system32\Bkdclgpl.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Bkfqbgni.exeC:\Windows\system32\Bkfqbgni.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Cgdggg32.exeC:\Windows\system32\Cgdggg32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Cckhlhcj.exeC:\Windows\system32\Cckhlhcj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ccmdbg32.exeC:\Windows\system32\Ccmdbg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Cpdeghgk.exeC:\Windows\system32\Cpdeghgk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Dmhfpmee.exeC:\Windows\system32\Dmhfpmee.exe39⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Deckeo32.exeC:\Windows\system32\Deckeo32.exe40⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Dlppgihj.exeC:\Windows\system32\Dlppgihj.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Dhimaill.exeC:\Windows\system32\Dhimaill.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Edpnfjap.exeC:\Windows\system32\Edpnfjap.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Emhbop32.exeC:\Windows\system32\Emhbop32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Eklbid32.exeC:\Windows\system32\Eklbid32.exe45⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Eddgaj32.exeC:\Windows\system32\Eddgaj32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe47⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Eonhbg32.exeC:\Windows\system32\Eonhbg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Eiclop32.exeC:\Windows\system32\Eiclop32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Eaoadb32.exeC:\Windows\system32\Eaoadb32.exe50⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Fldeakgp.exeC:\Windows\system32\Fldeakgp.exe51⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Fhmblljb.exeC:\Windows\system32\Fhmblljb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Fgbpmh32.exeC:\Windows\system32\Fgbpmh32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Ggifmgia.exeC:\Windows\system32\Ggifmgia.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Gmfnen32.exeC:\Windows\system32\Gmfnen32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Gbcgne32.exeC:\Windows\system32\Gbcgne32.exe61⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Gcbchhmc.exeC:\Windows\system32\Gcbchhmc.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Goidmibg.exeC:\Windows\system32\Goidmibg.exe63⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Hiahfo32.exeC:\Windows\system32\Hiahfo32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Hbjmodph.exeC:\Windows\system32\Hbjmodph.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Hggegknp.exeC:\Windows\system32\Hggegknp.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Hqojpqdp.exeC:\Windows\system32\Hqojpqdp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Hjgnhf32.exeC:\Windows\system32\Hjgnhf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Hfnomgqe.exeC:\Windows\system32\Hfnomgqe.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe70⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Hfqlcg32.exeC:\Windows\system32\Hfqlcg32.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Hafppp32.exeC:\Windows\system32\Hafppp32.exe72⤵PID:2736
-
C:\Windows\SysWOW64\Ijodiedi.exeC:\Windows\system32\Ijodiedi.exe73⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Imomkp32.exeC:\Windows\system32\Imomkp32.exe75⤵PID:2608
-
C:\Windows\SysWOW64\Ifhacfhj.exeC:\Windows\system32\Ifhacfhj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ihinkn32.exeC:\Windows\system32\Ihinkn32.exe77⤵PID:2512
-
C:\Windows\SysWOW64\Ifjoie32.exeC:\Windows\system32\Ifjoie32.exe78⤵PID:2472
-
C:\Windows\SysWOW64\Ipbcbkmh.exeC:\Windows\system32\Ipbcbkmh.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Iacojc32.exeC:\Windows\system32\Iacojc32.exe80⤵PID:1188
-
C:\Windows\SysWOW64\Ilicgl32.exeC:\Windows\system32\Ilicgl32.exe81⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Jaflocqd.exeC:\Windows\system32\Jaflocqd.exe82⤵PID:2224
-
C:\Windows\SysWOW64\Jojmigpn.exeC:\Windows\system32\Jojmigpn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Jhbaam32.exeC:\Windows\system32\Jhbaam32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Jmoijc32.exeC:\Windows\system32\Jmoijc32.exe85⤵PID:2412
-
C:\Windows\SysWOW64\Jfgnbi32.exeC:\Windows\system32\Jfgnbi32.exe86⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Jmafocbb.exeC:\Windows\system32\Jmafocbb.exe87⤵PID:1992
-
C:\Windows\SysWOW64\Jkegigal.exeC:\Windows\system32\Jkegigal.exe88⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Jdnkamhm.exeC:\Windows\system32\Jdnkamhm.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Kbchbi32.exeC:\Windows\system32\Kbchbi32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Kahedf32.exeC:\Windows\system32\Kahedf32.exe92⤵PID:2976
-
C:\Windows\SysWOW64\Khbmqpii.exeC:\Windows\system32\Khbmqpii.exe93⤵PID:1656
-
C:\Windows\SysWOW64\Kchaniho.exeC:\Windows\system32\Kchaniho.exe94⤵PID:2420
-
C:\Windows\SysWOW64\Kdinea32.exeC:\Windows\system32\Kdinea32.exe95⤵PID:556
-
C:\Windows\SysWOW64\Klpffn32.exeC:\Windows\system32\Klpffn32.exe96⤵PID:2256
-
C:\Windows\SysWOW64\Kamooe32.exeC:\Windows\system32\Kamooe32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Lcjkbl32.exeC:\Windows\system32\Lcjkbl32.exe98⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe99⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Mqfajdpe.exeC:\Windows\system32\Mqfajdpe.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Mnjaci32.exeC:\Windows\system32\Mnjaci32.exe101⤵PID:1740
-
C:\Windows\SysWOW64\Mddjpbgl.exeC:\Windows\system32\Mddjpbgl.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Mknbmm32.exeC:\Windows\system32\Mknbmm32.exe103⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Mmpodedg.exeC:\Windows\system32\Mmpodedg.exe104⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Nfhcmkkg.exeC:\Windows\system32\Nfhcmkkg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Nqngkcjm.exeC:\Windows\system32\Nqngkcjm.exe106⤵PID:1728
-
C:\Windows\SysWOW64\Nfjpcjhe.exeC:\Windows\system32\Nfjpcjhe.exe107⤵PID:2052
-
C:\Windows\SysWOW64\Nbaqhk32.exeC:\Windows\system32\Nbaqhk32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Nmgeedno.exeC:\Windows\system32\Nmgeedno.exe109⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Nbcmnklf.exeC:\Windows\system32\Nbcmnklf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Nimeje32.exeC:\Windows\system32\Nimeje32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Npgngokp.exeC:\Windows\system32\Npgngokp.exe112⤵PID:924
-
C:\Windows\SysWOW64\Nedfofig.exeC:\Windows\system32\Nedfofig.exe113⤵PID:2320
-
C:\Windows\SysWOW64\Opjjlo32.exeC:\Windows\system32\Opjjlo32.exe114⤵PID:868
-
C:\Windows\SysWOW64\Oiboedpn.exeC:\Windows\system32\Oiboedpn.exe115⤵
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Ojckmm32.exeC:\Windows\system32\Ojckmm32.exe116⤵PID:888
-
C:\Windows\SysWOW64\Oeipje32.exeC:\Windows\system32\Oeipje32.exe117⤵PID:2128
-
C:\Windows\SysWOW64\Ojfhblci.exeC:\Windows\system32\Ojfhblci.exe118⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Omddohbm.exeC:\Windows\system32\Omddohbm.exe119⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Ohjhlqbc.exeC:\Windows\system32\Ohjhlqbc.exe120⤵PID:2828
-
C:\Windows\SysWOW64\Ojhehlag.exeC:\Windows\system32\Ojhehlag.exe121⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-