Analysis
-
max time kernel
111s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 10:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f0bda26593f7eb5827cb31d5e1796ad0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f0bda26593f7eb5827cb31d5e1796ad0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f0bda26593f7eb5827cb31d5e1796ad0N.exe
-
Size
2.3MB
-
MD5
f0bda26593f7eb5827cb31d5e1796ad0
-
SHA1
4905a8e49749160a1c5f5a23ea3dd279d5f858c5
-
SHA256
7ea42a5bda6e6f833a7cc7846a0330b9561adaed92f8de43b3523abd79e2e7ce
-
SHA512
e52ba09bf5f63cb68c596941080598993761354c27caa4c6e9feb9a8a73e9682961f50f7c745b7bb000144e29c9b6e1299e53c6b151eb0ada0a4ccdef96c33dd
-
SSDEEP
3072:6WsugZ2gUDr+e9uYvliZ0I/I0Q5OPIN+/cuTQ2TgRX7Jg3A9z:p22PDT9VvliZVgp54tRo7KA9z
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpflenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpggnfap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecabfpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhfkqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpehn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejeglg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbfpafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qegpbaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjeckk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmcbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioohh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmjmodm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neihmpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpiadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgikklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjbbbna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allbpqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebmaoed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfpilmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqncnjan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnoacdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdcdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljdcqek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphmiokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflgahfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcmipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgebfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdlcnkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaedhoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhojjjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejnqkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemcookp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpbiaqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djahmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhfkqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinchq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloimcca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcbjhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhibenb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhibenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" f0bda26593f7eb5827cb31d5e1796ad0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlbihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlndj32.exe -
Executes dropped EXE 64 IoCs
pid Process 692 Hanenoeh.exe 1728 Hdmajkdl.exe 3048 Ijcmipjh.exe 2468 Iaqnbb32.exe 3016 Jnnehb32.exe 2396 Jmcbio32.exe 2476 Kicednho.exe 2484 Kemcookp.exe 1592 Ldgikklb.exe 2772 Memonbnl.exe 2660 Mgebfi32.exe 2636 Npbpjn32.exe 1780 Nhmdoq32.exe 2812 Ocphembl.exe 2176 Pjafbfca.exe 1944 Pbaebh32.exe 1748 Qpnkjq32.exe 2072 Amalcd32.exe 1612 Apbeeppo.exe 1956 Aflmbj32.exe 2120 Aeajcf32.exe 928 Allbpqcp.exe 1020 Alnoepam.exe 2200 Bbhgbj32.exe 1168 Bamdcf32.exe 2972 Bfjmkn32.exe 1576 Bkheal32.exe 1596 Baannfim.exe 2552 Bdbfpafn.exe 2564 Cioohh32.exe 3000 Clnkdc32.exe 2616 Ccjpfmic.exe 2056 Cehlbihg.exe 2376 Chiedc32.exe 2392 Coejfn32.exe 2764 Dpggnfap.exe 952 Dddodd32.exe 2448 Dgclpp32.exe 600 Djahmk32.exe 2712 Djddbkck.exe 2644 Dppiddie.exe 2184 Dlgjie32.exe 2816 Ecabfpff.exe 2076 Eklgjbca.exe 2348 Enjcfm32.exe 844 Ebfpglkn.exe 3040 Ehphdf32.exe 1440 Ekqqea32.exe 1720 Edieng32.exe 568 Eggajb32.exe 2276 Ejfnfn32.exe 1760 Fjhjlm32.exe 2832 Fmicnhob.exe 2516 Fcckjb32.exe 3004 Fefdhj32.exe 2068 Fmnmih32.exe 2372 Fpliec32.exe 2128 Feiamj32.exe 2920 Gjhfkqdm.exe 932 Gboolneo.exe 2688 Genkhidc.exe 1136 Ghndjd32.exe 2720 Gfcqkafl.exe 2792 Gibmglep.exe -
Loads dropped DLL 64 IoCs
pid Process 1048 f0bda26593f7eb5827cb31d5e1796ad0N.exe 1048 f0bda26593f7eb5827cb31d5e1796ad0N.exe 692 Hanenoeh.exe 692 Hanenoeh.exe 1728 Hdmajkdl.exe 1728 Hdmajkdl.exe 3048 Ijcmipjh.exe 3048 Ijcmipjh.exe 2468 Iaqnbb32.exe 2468 Iaqnbb32.exe 3016 Jnnehb32.exe 3016 Jnnehb32.exe 2396 Jmcbio32.exe 2396 Jmcbio32.exe 2476 Kicednho.exe 2476 Kicednho.exe 2484 Kemcookp.exe 2484 Kemcookp.exe 1592 Ldgikklb.exe 1592 Ldgikklb.exe 2772 Memonbnl.exe 2772 Memonbnl.exe 2660 Mgebfi32.exe 2660 Mgebfi32.exe 2636 Npbpjn32.exe 2636 Npbpjn32.exe 1780 Nhmdoq32.exe 1780 Nhmdoq32.exe 2812 Ocphembl.exe 2812 Ocphembl.exe 2176 Pjafbfca.exe 2176 Pjafbfca.exe 1944 Pbaebh32.exe 1944 Pbaebh32.exe 1748 Qpnkjq32.exe 1748 Qpnkjq32.exe 2072 Amalcd32.exe 2072 Amalcd32.exe 1612 Apbeeppo.exe 1612 Apbeeppo.exe 1956 Aflmbj32.exe 1956 Aflmbj32.exe 2120 Aeajcf32.exe 2120 Aeajcf32.exe 928 Allbpqcp.exe 928 Allbpqcp.exe 1020 Alnoepam.exe 1020 Alnoepam.exe 2200 Bbhgbj32.exe 2200 Bbhgbj32.exe 1168 Bamdcf32.exe 1168 Bamdcf32.exe 2972 Bfjmkn32.exe 2972 Bfjmkn32.exe 1576 Bkheal32.exe 1576 Bkheal32.exe 1596 Baannfim.exe 1596 Baannfim.exe 2552 Bdbfpafn.exe 2552 Bdbfpafn.exe 2564 Cioohh32.exe 2564 Cioohh32.exe 3000 Clnkdc32.exe 3000 Clnkdc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pghmeikh.exe Phcpdm32.exe File created C:\Windows\SysWOW64\Okmpmg32.dll Pinchq32.exe File opened for modification C:\Windows\SysWOW64\Ihgcof32.exe Ippkni32.exe File created C:\Windows\SysWOW64\Nibcgb32.exe Ndekok32.exe File opened for modification C:\Windows\SysWOW64\Jpjndh32.exe Jjpehn32.exe File created C:\Windows\SysWOW64\Immcccdb.dll Llagegfb.exe File created C:\Windows\SysWOW64\Oodejhfg.exe Ocmdeg32.exe File created C:\Windows\SysWOW64\Bpdgolml.exe Bndjei32.exe File created C:\Windows\SysWOW64\Ekicjlai.exe Dgkkdnkb.exe File created C:\Windows\SysWOW64\Lhfida32.dll Idjjih32.exe File opened for modification C:\Windows\SysWOW64\Ijklmn32.exe Ikfokb32.exe File opened for modification C:\Windows\SysWOW64\Chiedc32.exe Cehlbihg.exe File opened for modification C:\Windows\SysWOW64\Coejfn32.exe Chiedc32.exe File created C:\Windows\SysWOW64\Fefdhj32.exe Fcckjb32.exe File opened for modification C:\Windows\SysWOW64\Knmjmodm.exe Kmnnblmj.exe File created C:\Windows\SysWOW64\Lcolpe32.exe Kqncnjan.exe File created C:\Windows\SysWOW64\Dbnijemn.dll Cbpbek32.exe File created C:\Windows\SysWOW64\Pmfgjl32.dll Jmcbio32.exe File created C:\Windows\SysWOW64\Memonbnl.exe Ldgikklb.exe File opened for modification C:\Windows\SysWOW64\Eloimcca.exe Elmmhc32.exe File created C:\Windows\SysWOW64\Npmfgd32.dll Hbokkagk.exe File created C:\Windows\SysWOW64\Ehpeibla.dll Neihmpon.exe File created C:\Windows\SysWOW64\Coejfn32.exe Chiedc32.exe File created C:\Windows\SysWOW64\Gaiehjfb.exe Gibmglep.exe File created C:\Windows\SysWOW64\Eomfiobe.exe Eloimcca.exe File opened for modification C:\Windows\SysWOW64\Ggfgoo32.exe Fgdjipfc.exe File opened for modification C:\Windows\SysWOW64\Fcckjb32.exe Fmicnhob.exe File created C:\Windows\SysWOW64\Gcofqebd.dll Cdhino32.exe File opened for modification C:\Windows\SysWOW64\Djddbkck.exe Djahmk32.exe File created C:\Windows\SysWOW64\Jjcfbigh.dll Bndjei32.exe File created C:\Windows\SysWOW64\Ggniamja.dll Ndekok32.exe File created C:\Windows\SysWOW64\Linanl32.exe Lilehl32.exe File created C:\Windows\SysWOW64\Mhjnniic.dll Mbiokdam.exe File opened for modification C:\Windows\SysWOW64\Ejeglg32.exe Eopbooqb.exe File opened for modification C:\Windows\SysWOW64\Ecabfpff.exe Dlgjie32.exe File created C:\Windows\SysWOW64\Apddce32.dll Dlgjie32.exe File created C:\Windows\SysWOW64\Jbbpmo32.exe Jlckoh32.exe File opened for modification C:\Windows\SysWOW64\Mbiokdam.exe Mpjboi32.exe File created C:\Windows\SysWOW64\Ejnqkh32.exe Engpfgql.exe File created C:\Windows\SysWOW64\Kicednho.exe Jmcbio32.exe File created C:\Windows\SysWOW64\Hmjoiblj.dll Nhmdoq32.exe File opened for modification C:\Windows\SysWOW64\Pinchq32.exe Pfpflenm.exe File created C:\Windows\SysWOW64\Opiajh32.dll Dgkkdnkb.exe File created C:\Windows\SysWOW64\Iamnpbpo.dll Bfifqg32.exe File created C:\Windows\SysWOW64\Klhniing.dll Chiedc32.exe File created C:\Windows\SysWOW64\Dddodd32.exe Dpggnfap.exe File created C:\Windows\SysWOW64\Mdcbjhme.exe Mmijmn32.exe File created C:\Windows\SysWOW64\Lphqle32.dll Gjeckk32.exe File opened for modification C:\Windows\SysWOW64\Hlbooaoe.exe Hbjjfl32.exe File created C:\Windows\SysWOW64\Mkbjgp32.dll Bfjmkn32.exe File created C:\Windows\SysWOW64\Dpggnfap.exe Coejfn32.exe File created C:\Windows\SysWOW64\Aebljh32.dll Fjhjlm32.exe File created C:\Windows\SysWOW64\Lgcpojic.dll Jlckoh32.exe File created C:\Windows\SysWOW64\Bnmnbiph.dll Elmmhc32.exe File created C:\Windows\SysWOW64\Ggppeg32.dll Kicednho.exe File created C:\Windows\SysWOW64\Plfmlj32.dll Bkheal32.exe File created C:\Windows\SysWOW64\Bjamab32.dll Kqncnjan.exe File created C:\Windows\SysWOW64\Lpjpgo32.dll Pnebgcqb.exe File created C:\Windows\SysWOW64\Pnebgcqb.exe Pfnjfepp.exe File opened for modification C:\Windows\SysWOW64\Qjnoacdc.exe Pinchq32.exe File opened for modification C:\Windows\SysWOW64\Angklf32.exe Andnff32.exe File opened for modification C:\Windows\SysWOW64\Cffejk32.exe Cdhino32.exe File opened for modification C:\Windows\SysWOW64\Ccbojk32.exe Cbpbek32.exe File created C:\Windows\SysWOW64\Kniaap32.exe Jbbpmo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3432 3408 WerFault.exe 226 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljdcqek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkladpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnjfepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfpilmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicednho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcbjhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppiddie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgpqjqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhibenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idqpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmaoed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmdoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgiejje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opohil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdgolml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmijmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpnkjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmflmfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhojjjhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onplmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqkqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhgbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcmipjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlcnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbiokdam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgikklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpliec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjbbbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcqkafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikafpbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llagegfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghndjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaiehjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkoikcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflgahfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napibq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engpfgql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdjipfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmiokb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkkdnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmpe32.dll" Ijklmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdlcnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dljdcqek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgkkdnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpbiaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nodikecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomfiobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkiacm32.dll" Knmjmodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boqjdl32.dll" Mdaedhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmjcemh.dll" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniidaih.dll" Bbhgbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkheal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaiehjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhfj32.dll" Maplcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeajcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgjkkhi.dll" Gboolneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcbjhme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aomdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmajelk.dll" Chfadndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnqghdd.dll" Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcdgd32.dll" Ikafpbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmpkhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neihmpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgibpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnliph32.dll" Fgdjipfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlbooaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Impblnna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aooaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflhik32.dll" Hanenoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npbpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbffga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceclmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffejk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehlbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djahmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkmbn32.dll" Dphmiokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcmipjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgebfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnjfepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhlnohm.dll" Eomfiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccanfla.dll" Ijcmipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgaikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdcbjhme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanenoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphgeipb.dll" Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndekok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfmoge.dll" Ejnqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmhibenb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idqpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aigkfhbp.dll" Oabafcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoafi32.dll" Qegpbaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnlpcl32.dll" Fefnmdfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 692 1048 f0bda26593f7eb5827cb31d5e1796ad0N.exe 29 PID 1048 wrote to memory of 692 1048 f0bda26593f7eb5827cb31d5e1796ad0N.exe 29 PID 1048 wrote to memory of 692 1048 f0bda26593f7eb5827cb31d5e1796ad0N.exe 29 PID 1048 wrote to memory of 692 1048 f0bda26593f7eb5827cb31d5e1796ad0N.exe 29 PID 692 wrote to memory of 1728 692 Hanenoeh.exe 30 PID 692 wrote to memory of 1728 692 Hanenoeh.exe 30 PID 692 wrote to memory of 1728 692 Hanenoeh.exe 30 PID 692 wrote to memory of 1728 692 Hanenoeh.exe 30 PID 1728 wrote to memory of 3048 1728 Hdmajkdl.exe 31 PID 1728 wrote to memory of 3048 1728 Hdmajkdl.exe 31 PID 1728 wrote to memory of 3048 1728 Hdmajkdl.exe 31 PID 1728 wrote to memory of 3048 1728 Hdmajkdl.exe 31 PID 3048 wrote to memory of 2468 3048 Ijcmipjh.exe 32 PID 3048 wrote to memory of 2468 3048 Ijcmipjh.exe 32 PID 3048 wrote to memory of 2468 3048 Ijcmipjh.exe 32 PID 3048 wrote to memory of 2468 3048 Ijcmipjh.exe 32 PID 2468 wrote to memory of 3016 2468 Iaqnbb32.exe 33 PID 2468 wrote to memory of 3016 2468 Iaqnbb32.exe 33 PID 2468 wrote to memory of 3016 2468 Iaqnbb32.exe 33 PID 2468 wrote to memory of 3016 2468 Iaqnbb32.exe 33 PID 3016 wrote to memory of 2396 3016 Jnnehb32.exe 34 PID 3016 wrote to memory of 2396 3016 Jnnehb32.exe 34 PID 3016 wrote to memory of 2396 3016 Jnnehb32.exe 34 PID 3016 wrote to memory of 2396 3016 Jnnehb32.exe 34 PID 2396 wrote to memory of 2476 2396 Jmcbio32.exe 35 PID 2396 wrote to memory of 2476 2396 Jmcbio32.exe 35 PID 2396 wrote to memory of 2476 2396 Jmcbio32.exe 35 PID 2396 wrote to memory of 2476 2396 Jmcbio32.exe 35 PID 2476 wrote to memory of 2484 2476 Kicednho.exe 36 PID 2476 wrote to memory of 2484 2476 Kicednho.exe 36 PID 2476 wrote to memory of 2484 2476 Kicednho.exe 36 PID 2476 wrote to memory of 2484 2476 Kicednho.exe 36 PID 2484 wrote to memory of 1592 2484 Kemcookp.exe 37 PID 2484 wrote to memory of 1592 2484 Kemcookp.exe 37 PID 2484 wrote to memory of 1592 2484 Kemcookp.exe 37 PID 2484 wrote to memory of 1592 2484 Kemcookp.exe 37 PID 1592 wrote to memory of 2772 1592 Ldgikklb.exe 38 PID 1592 wrote to memory of 2772 1592 Ldgikklb.exe 38 PID 1592 wrote to memory of 2772 1592 Ldgikklb.exe 38 PID 1592 wrote to memory of 2772 1592 Ldgikklb.exe 38 PID 2772 wrote to memory of 2660 2772 Memonbnl.exe 39 PID 2772 wrote to memory of 2660 2772 Memonbnl.exe 39 PID 2772 wrote to memory of 2660 2772 Memonbnl.exe 39 PID 2772 wrote to memory of 2660 2772 Memonbnl.exe 39 PID 2660 wrote to memory of 2636 2660 Mgebfi32.exe 40 PID 2660 wrote to memory of 2636 2660 Mgebfi32.exe 40 PID 2660 wrote to memory of 2636 2660 Mgebfi32.exe 40 PID 2660 wrote to memory of 2636 2660 Mgebfi32.exe 40 PID 2636 wrote to memory of 1780 2636 Npbpjn32.exe 41 PID 2636 wrote to memory of 1780 2636 Npbpjn32.exe 41 PID 2636 wrote to memory of 1780 2636 Npbpjn32.exe 41 PID 2636 wrote to memory of 1780 2636 Npbpjn32.exe 41 PID 1780 wrote to memory of 2812 1780 Nhmdoq32.exe 42 PID 1780 wrote to memory of 2812 1780 Nhmdoq32.exe 42 PID 1780 wrote to memory of 2812 1780 Nhmdoq32.exe 42 PID 1780 wrote to memory of 2812 1780 Nhmdoq32.exe 42 PID 2812 wrote to memory of 2176 2812 Ocphembl.exe 43 PID 2812 wrote to memory of 2176 2812 Ocphembl.exe 43 PID 2812 wrote to memory of 2176 2812 Ocphembl.exe 43 PID 2812 wrote to memory of 2176 2812 Ocphembl.exe 43 PID 2176 wrote to memory of 1944 2176 Pjafbfca.exe 44 PID 2176 wrote to memory of 1944 2176 Pjafbfca.exe 44 PID 2176 wrote to memory of 1944 2176 Pjafbfca.exe 44 PID 2176 wrote to memory of 1944 2176 Pjafbfca.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0bda26593f7eb5827cb31d5e1796ad0N.exe"C:\Users\Admin\AppData\Local\Temp\f0bda26593f7eb5827cb31d5e1796ad0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Jnnehb32.exeC:\Windows\system32\Jnnehb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Bdbfpafn.exeC:\Windows\system32\Bdbfpafn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Cioohh32.exeC:\Windows\system32\Cioohh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Coejfn32.exeC:\Windows\system32\Coejfn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Dgclpp32.exeC:\Windows\system32\Dgclpp32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe41⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Dlgjie32.exeC:\Windows\system32\Dlgjie32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Eklgjbca.exeC:\Windows\system32\Eklgjbca.exe45⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Enjcfm32.exeC:\Windows\system32\Enjcfm32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe47⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe49⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Edieng32.exeC:\Windows\system32\Edieng32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe51⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Fmicnhob.exeC:\Windows\system32\Fmicnhob.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Fcckjb32.exeC:\Windows\system32\Fcckjb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Fmnmih32.exeC:\Windows\system32\Fmnmih32.exe57⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fpliec32.exeC:\Windows\system32\Fpliec32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Feiamj32.exeC:\Windows\system32\Feiamj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Gjhfkqdm.exeC:\Windows\system32\Gjhfkqdm.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gboolneo.exeC:\Windows\system32\Gboolneo.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ghndjd32.exeC:\Windows\system32\Ghndjd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Gfcqkafl.exeC:\Windows\system32\Gfcqkafl.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Gaiehjfb.exeC:\Windows\system32\Gaiehjfb.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe67⤵PID:3064
-
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe68⤵PID:1708
-
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe69⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe70⤵PID:804
-
C:\Windows\SysWOW64\Hikpnkme.exeC:\Windows\system32\Hikpnkme.exe71⤵PID:2164
-
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe72⤵PID:1684
-
C:\Windows\SysWOW64\Hkoikcaq.exeC:\Windows\system32\Hkoikcaq.exe73⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Ikafpbon.exeC:\Windows\system32\Ikafpbon.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Impblnna.exeC:\Windows\system32\Impblnna.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe76⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe77⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Ihgcof32.exeC:\Windows\system32\Ihgcof32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Ikfokb32.exeC:\Windows\system32\Ikfokb32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Idqpjg32.exeC:\Windows\system32\Idqpjg32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Iebmaoed.exeC:\Windows\system32\Iebmaoed.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Jgaikb32.exeC:\Windows\system32\Jgaikb32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Jjpehn32.exeC:\Windows\system32\Jjpehn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Jpjndh32.exeC:\Windows\system32\Jpjndh32.exe85⤵PID:992
-
C:\Windows\SysWOW64\Jkcoee32.exeC:\Windows\system32\Jkcoee32.exe86⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Windows\SysWOW64\Jcjffc32.exeC:\Windows\system32\Jcjffc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Jbmgapgc.exeC:\Windows\system32\Jbmgapgc.exe88⤵PID:2340
-
C:\Windows\SysWOW64\Jdlcnkfg.exeC:\Windows\system32\Jdlcnkfg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Jlckoh32.exeC:\Windows\system32\Jlckoh32.exe90⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Kniaap32.exeC:\Windows\system32\Kniaap32.exe92⤵PID:2600
-
C:\Windows\SysWOW64\Kjpafanf.exeC:\Windows\system32\Kjpafanf.exe93⤵PID:2060
-
C:\Windows\SysWOW64\Kmnnblmj.exeC:\Windows\system32\Kmnnblmj.exe94⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Knmjmodm.exeC:\Windows\system32\Knmjmodm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Kmpkhl32.exeC:\Windows\system32\Kmpkhl32.exe96⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Kqncnjan.exeC:\Windows\system32\Kqncnjan.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Lcolpe32.exeC:\Windows\system32\Lcolpe32.exe98⤵PID:1796
-
C:\Windows\SysWOW64\Lfmhla32.exeC:\Windows\system32\Lfmhla32.exe99⤵PID:976
-
C:\Windows\SysWOW64\Lilehl32.exeC:\Windows\system32\Lilehl32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Linanl32.exeC:\Windows\system32\Linanl32.exe101⤵PID:1660
-
C:\Windows\SysWOW64\Lbffga32.exeC:\Windows\system32\Lbffga32.exe102⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Llojpghe.exeC:\Windows\system32\Llojpghe.exe103⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Llagegfb.exeC:\Windows\system32\Llagegfb.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe105⤵PID:1804
-
C:\Windows\SysWOW64\Mnbpgb32.exeC:\Windows\system32\Mnbpgb32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Maplcm32.exeC:\Windows\system32\Maplcm32.exe107⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Mpcmojia.exeC:\Windows\system32\Mpcmojia.exe108⤵PID:2604
-
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Mmijmn32.exeC:\Windows\system32\Mmijmn32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Mdcbjhme.exeC:\Windows\system32\Mdcbjhme.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Mfbnfcli.exeC:\Windows\system32\Mfbnfcli.exe112⤵PID:1652
-
C:\Windows\SysWOW64\Mpjboi32.exeC:\Windows\system32\Mpjboi32.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Mbiokdam.exeC:\Windows\system32\Mbiokdam.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Mbkladpj.exeC:\Windows\system32\Mbkladpj.exe115⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Neihmpon.exeC:\Windows\system32\Neihmpon.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Napibq32.exeC:\Windows\system32\Napibq32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Nodikecl.exeC:\Windows\system32\Nodikecl.exe118⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Nhlndj32.exeC:\Windows\system32\Nhlndj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Nkkjpf32.exeC:\Windows\system32\Nkkjpf32.exe120⤵PID:2492
-
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-