Analysis
-
max time kernel
40s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 17:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3527a196e711fb4229ca051bdf94690N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b3527a196e711fb4229ca051bdf94690N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b3527a196e711fb4229ca051bdf94690N.exe
-
Size
95KB
-
MD5
b3527a196e711fb4229ca051bdf94690
-
SHA1
6b1dc6ae74f697a3f956a3db28592fe0e5537baf
-
SHA256
c585a379181ce176d1cfc5bf63791b3fe55af3c64970323ffeadc708e2f196ad
-
SHA512
bba9251a3c1b6e5f89a0402da7ba132cef4c489dfbde9a470e866cee7f40f2a14843ddf9bbe792f52dbca36e9c68dbc3928b3ab1495356d431cbe962328ba8d7
-
SSDEEP
1536:L9/kESwonNncixsvDfQzK0IJPREznMOZW4YdrIUGYpyXOM6bOLXi8PmCofGV:59SwoZcixkbQpIhREznFM44rI7JXDrLD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjdjghf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpjmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdkgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcmbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nahhfoij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnhhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgebcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmmffbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eemded32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohedi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiipfbgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmppmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afolpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capopb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoeiniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmolll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoegc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohginhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihhehoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbbidgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimdka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnfnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hllkhoaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ediggoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cablfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okefjcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdihlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchcmnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiiapg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgjce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjlaqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joomnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkohkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdicfbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpbokop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbckeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkojjgfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojbii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfkidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eained32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpaaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljjabfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpnogmbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odbcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlcmhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohiefpc.exe -
Executes dropped EXE 64 IoCs
pid Process 832 Kgienc32.exe 2124 Kncmknkg.exe 2720 Lcpecdio.exe 2728 Lqdfmihh.exe 2888 Lcbbidgl.exe 1156 Ljljenoi.exe 2624 Lmkgajnm.exe 2504 Lqfbbh32.exe 2516 Lgpkobnb.exe 600 Lfckko32.exe 2848 Lmmcgilj.exe 2836 Lbjlppja.exe 2108 Lmppmi32.exe 2068 Lpnlid32.exe 1232 Lfhdeoqh.exe 2556 Lekeak32.exe 2376 Lmbmbi32.exe 2080 Mncijanc.exe 1248 Mfjaknoe.exe 992 Memagk32.exe 1936 Mlgjce32.exe 852 Madbll32.exe 1512 Mikjmi32.exe 2076 Mgnjhfbq.exe 3064 Mnhbep32.exe 1704 Mbcofobg.exe 2732 Mjocja32.exe 2856 Mmmpfm32.exe 2756 Mcghcgfb.exe 2840 Mhbdce32.exe 2592 Mmolll32.exe 2648 Mpnhhh32.exe 2428 Nfgadbcc.exe 2476 Namebk32.exe 2820 Ndlanf32.exe 2920 Nbnajcig.exe 2976 Nlgfbh32.exe 2092 Ndnncf32.exe 748 Nbqnobge.exe 3028 Npdohg32.exe 2356 Nbckeb32.exe 2372 Nhpcmi32.exe 1140 Nojljcjf.exe 1684 Nahhfoij.exe 1468 Niopgljl.exe 2192 Nhbpbi32.exe 1432 Nlnlcg32.exe 2084 Obhdpaqm.exe 1556 Oakdkn32.exe 2304 Odiagj32.exe 2716 Olpiig32.exe 2876 Okciddnh.exe 2272 Oooeeb32.exe 2056 Omaepoml.exe 2812 Oehmamnn.exe 2796 Odknmi32.exe 2844 Ohginhma.exe 2912 Okefjcle.exe 2236 Ooabjbdn.exe 1744 Omdbfo32.exe 1984 Opbnbj32.exe 1068 Ohifch32.exe 328 Okhboc32.exe 2184 Oijbkpqm.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 b3527a196e711fb4229ca051bdf94690N.exe 2532 b3527a196e711fb4229ca051bdf94690N.exe 832 Kgienc32.exe 832 Kgienc32.exe 2124 Kncmknkg.exe 2124 Kncmknkg.exe 2720 Lcpecdio.exe 2720 Lcpecdio.exe 2728 Lqdfmihh.exe 2728 Lqdfmihh.exe 2888 Lcbbidgl.exe 2888 Lcbbidgl.exe 1156 Ljljenoi.exe 1156 Ljljenoi.exe 2624 Lmkgajnm.exe 2624 Lmkgajnm.exe 2504 Lqfbbh32.exe 2504 Lqfbbh32.exe 2516 Lgpkobnb.exe 2516 Lgpkobnb.exe 600 Lfckko32.exe 600 Lfckko32.exe 2848 Lmmcgilj.exe 2848 Lmmcgilj.exe 2836 Lbjlppja.exe 2836 Lbjlppja.exe 2108 Lmppmi32.exe 2108 Lmppmi32.exe 2068 Lpnlid32.exe 2068 Lpnlid32.exe 1232 Lfhdeoqh.exe 1232 Lfhdeoqh.exe 2556 Lekeak32.exe 2556 Lekeak32.exe 2376 Lmbmbi32.exe 2376 Lmbmbi32.exe 2080 Mncijanc.exe 2080 Mncijanc.exe 1248 Mfjaknoe.exe 1248 Mfjaknoe.exe 992 Memagk32.exe 992 Memagk32.exe 1936 Mlgjce32.exe 1936 Mlgjce32.exe 852 Madbll32.exe 852 Madbll32.exe 1512 Mikjmi32.exe 1512 Mikjmi32.exe 2076 Mgnjhfbq.exe 2076 Mgnjhfbq.exe 3064 Mnhbep32.exe 3064 Mnhbep32.exe 1704 Mbcofobg.exe 1704 Mbcofobg.exe 2732 Mjocja32.exe 2732 Mjocja32.exe 2856 Mmmpfm32.exe 2856 Mmmpfm32.exe 2756 Mcghcgfb.exe 2756 Mcghcgfb.exe 2840 Mhbdce32.exe 2840 Mhbdce32.exe 2592 Mmolll32.exe 2592 Mmolll32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjdmjiae.exe Kpliac32.exe File created C:\Windows\SysWOW64\Hpldgohk.dll Lqfbbh32.exe File opened for modification C:\Windows\SysWOW64\Mmolll32.exe Mhbdce32.exe File created C:\Windows\SysWOW64\Bpgmhkfi.exe Bmiqlpge.exe File created C:\Windows\SysWOW64\Dlbcgo32.exe Dmpckbci.exe File created C:\Windows\SysWOW64\Ehemnf32.dll Epchbm32.exe File created C:\Windows\SysWOW64\Limobelk.dll Hbmpoj32.exe File created C:\Windows\SysWOW64\Kgddin32.exe Kchhholk.exe File created C:\Windows\SysWOW64\Chldbl32.exe Cdphbm32.exe File created C:\Windows\SysWOW64\Mqhqgecp.dll Lfckko32.exe File created C:\Windows\SysWOW64\Lmfpjgkj.dll Mnhbep32.exe File opened for modification C:\Windows\SysWOW64\Nlnlcg32.exe Nhbpbi32.exe File created C:\Windows\SysWOW64\Fkgbgine.dll Jedlph32.exe File opened for modification C:\Windows\SysWOW64\Plbbmjhf.exe Phgfmk32.exe File created C:\Windows\SysWOW64\Qhbeqckl.dll Dkmmdg32.exe File created C:\Windows\SysWOW64\Eakkkdnm.exe Ekacnjfp.exe File opened for modification C:\Windows\SysWOW64\Ibafhmph.exe Ipcjlaqd.exe File created C:\Windows\SysWOW64\Eppbgh32.dll Jlodma32.exe File opened for modification C:\Windows\SysWOW64\Ooabjbdn.exe Okefjcle.exe File opened for modification C:\Windows\SysWOW64\Dbjonicb.exe Dplbbndo.exe File opened for modification C:\Windows\SysWOW64\Ikinjj32.exe Ifmbilhq.exe File created C:\Windows\SysWOW64\Janijh32.exe Jckiolgm.exe File opened for modification C:\Windows\SysWOW64\Kjpdoj32.exe Kkmddmop.exe File created C:\Windows\SysWOW64\Hnhjok32.exe Hljnbo32.exe File created C:\Windows\SysWOW64\Oioddd32.dll Ifkecl32.exe File created C:\Windows\SysWOW64\Elcfkg32.dll Poegde32.exe File opened for modification C:\Windows\SysWOW64\Ediggoma.exe Epnkfq32.exe File created C:\Windows\SysWOW64\Aiclffeg.dll Hfkidh32.exe File opened for modification C:\Windows\SysWOW64\Mncijanc.exe Lmbmbi32.exe File created C:\Windows\SysWOW64\Fabciggh.dll Nbqnobge.exe File created C:\Windows\SysWOW64\Dpifln32.exe Dafeaapg.exe File opened for modification C:\Windows\SysWOW64\Fdnabo32.exe Flgiaa32.exe File created C:\Windows\SysWOW64\Clnjal32.dll Fmlblq32.exe File created C:\Windows\SysWOW64\Nnlloakf.dll Ifmbilhq.exe File opened for modification C:\Windows\SysWOW64\Bggohi32.exe Bclbhkdj.exe File created C:\Windows\SysWOW64\Ekofijic.exe Ellfmm32.exe File opened for modification C:\Windows\SysWOW64\Flgiaa32.exe Fndhed32.exe File created C:\Windows\SysWOW64\Lgibjo32.dll Gmqlgppo.exe File created C:\Windows\SysWOW64\Jdoblckh.exe Japfphle.exe File created C:\Windows\SysWOW64\Pgfiapam.dll Kfknpj32.exe File created C:\Windows\SysWOW64\Moelic32.dll Opghmjfg.exe File created C:\Windows\SysWOW64\Kicmee32.dll Afjbecqb.exe File opened for modification C:\Windows\SysWOW64\Ckhdihlp.exe Clecnk32.exe File opened for modification C:\Windows\SysWOW64\Dmimkc32.exe Doflofbf.exe File created C:\Windows\SysWOW64\Flgiaa32.exe Fndhed32.exe File opened for modification C:\Windows\SysWOW64\Fmnoapba.exe Fjpbeecn.exe File created C:\Windows\SysWOW64\Hepffelp.exe Hfmfjh32.exe File opened for modification C:\Windows\SysWOW64\Acjjch32.exe Aqkmgl32.exe File created C:\Windows\SysWOW64\Bccihj32.exe Bpgmhkfi.exe File created C:\Windows\SysWOW64\Dekgpdqc.exe Dghgdg32.exe File created C:\Windows\SysWOW64\Kipddm32.dll Hiieqd32.exe File opened for modification C:\Windows\SysWOW64\Ipcjlaqd.exe Iapjad32.exe File opened for modification C:\Windows\SysWOW64\Japfphle.exe Jndjoi32.exe File created C:\Windows\SysWOW64\Jhjnmb32.exe Jdoblckh.exe File created C:\Windows\SysWOW64\Qgqlig32.exe Qhnlmjie.exe File opened for modification C:\Windows\SysWOW64\Bimdka32.exe Bfohoe32.exe File created C:\Windows\SysWOW64\Hiieqd32.exe Hfkidh32.exe File opened for modification C:\Windows\SysWOW64\Ihclmp32.exe Idhplaoe.exe File created C:\Windows\SysWOW64\Ajlikd32.dll Opdkgj32.exe File opened for modification C:\Windows\SysWOW64\Plpehj32.exe Piaiko32.exe File opened for modification C:\Windows\SysWOW64\Dcmkciap.exe Dpnogmbl.exe File created C:\Windows\SysWOW64\Bgpjhmil.dll Doclijgd.exe File opened for modification C:\Windows\SysWOW64\Pamnpahp.exe Pcjmdd32.exe File created C:\Windows\SysWOW64\Bfohoe32.exe Bcqlcj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4696 4596 WerFault.exe 419 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnmmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhplaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncmknkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okefjcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojljcjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohginhma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkojjgfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doflofbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchgnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbbidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higikdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqnobge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnogmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohiefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genmab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klqmaebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikmkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgfbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babpgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqlmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaepoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceenilo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eained32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabbehjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbbndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekgpdqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiphpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joomnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhfhaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlppja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdgqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggofcmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfmecba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genmab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclbhkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebckd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebckd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhdeoqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklhifhi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcfkfkn.dll" Oimpppoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeokhe32.dll" Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnfajgbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikinjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhhagb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghgbeni.dll" Eepakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibkj32.dll" Fgojdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inmdjjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lodbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifafj32.dll" Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmcedhg.dll" Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqepgl32.dll" Cbfidfem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gglimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbglledk.dll" Fohacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmnoapba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iljjabfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejambd32.dll" Mlgjce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amdkam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bekobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfah32.dll" Coacdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodfk32.dll" Kabbehjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmepmj32.dll" Memagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfmid32.dll" Piaiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geolio32.dll" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" b3527a196e711fb4229ca051bdf94690N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjocja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaafkgbm.dll" Cablfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jokccnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfpjgkj.dll" Mnhbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpgjjhd.dll" Dohiefpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egegnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbjlppja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbfqfppe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icqdafal.dll" Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjimefie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobfhl32.dll" Oijbkpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdhfnif.dll" Jkhjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Madbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olklmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eadejede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcfjik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edopja32.dll" Kjdmjiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndlanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpjae32.dll" Odknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaclb32.dll" Bcqlcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbhejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqedn32.dll" Hbdfoiki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbcofobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opbnbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opghmjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egddpa32.dll" Poqniegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppanehoa.dll" Nlgfbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegflkfk.dll" Genmab32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 832 2532 b3527a196e711fb4229ca051bdf94690N.exe 29 PID 2532 wrote to memory of 832 2532 b3527a196e711fb4229ca051bdf94690N.exe 29 PID 2532 wrote to memory of 832 2532 b3527a196e711fb4229ca051bdf94690N.exe 29 PID 2532 wrote to memory of 832 2532 b3527a196e711fb4229ca051bdf94690N.exe 29 PID 832 wrote to memory of 2124 832 Kgienc32.exe 30 PID 832 wrote to memory of 2124 832 Kgienc32.exe 30 PID 832 wrote to memory of 2124 832 Kgienc32.exe 30 PID 832 wrote to memory of 2124 832 Kgienc32.exe 30 PID 2124 wrote to memory of 2720 2124 Kncmknkg.exe 31 PID 2124 wrote to memory of 2720 2124 Kncmknkg.exe 31 PID 2124 wrote to memory of 2720 2124 Kncmknkg.exe 31 PID 2124 wrote to memory of 2720 2124 Kncmknkg.exe 31 PID 2720 wrote to memory of 2728 2720 Lcpecdio.exe 32 PID 2720 wrote to memory of 2728 2720 Lcpecdio.exe 32 PID 2720 wrote to memory of 2728 2720 Lcpecdio.exe 32 PID 2720 wrote to memory of 2728 2720 Lcpecdio.exe 32 PID 2728 wrote to memory of 2888 2728 Lqdfmihh.exe 33 PID 2728 wrote to memory of 2888 2728 Lqdfmihh.exe 33 PID 2728 wrote to memory of 2888 2728 Lqdfmihh.exe 33 PID 2728 wrote to memory of 2888 2728 Lqdfmihh.exe 33 PID 2888 wrote to memory of 1156 2888 Lcbbidgl.exe 34 PID 2888 wrote to memory of 1156 2888 Lcbbidgl.exe 34 PID 2888 wrote to memory of 1156 2888 Lcbbidgl.exe 34 PID 2888 wrote to memory of 1156 2888 Lcbbidgl.exe 34 PID 1156 wrote to memory of 2624 1156 Ljljenoi.exe 35 PID 1156 wrote to memory of 2624 1156 Ljljenoi.exe 35 PID 1156 wrote to memory of 2624 1156 Ljljenoi.exe 35 PID 1156 wrote to memory of 2624 1156 Ljljenoi.exe 35 PID 2624 wrote to memory of 2504 2624 Lmkgajnm.exe 36 PID 2624 wrote to memory of 2504 2624 Lmkgajnm.exe 36 PID 2624 wrote to memory of 2504 2624 Lmkgajnm.exe 36 PID 2624 wrote to memory of 2504 2624 Lmkgajnm.exe 36 PID 2504 wrote to memory of 2516 2504 Lqfbbh32.exe 37 PID 2504 wrote to memory of 2516 2504 Lqfbbh32.exe 37 PID 2504 wrote to memory of 2516 2504 Lqfbbh32.exe 37 PID 2504 wrote to memory of 2516 2504 Lqfbbh32.exe 37 PID 2516 wrote to memory of 600 2516 Lgpkobnb.exe 38 PID 2516 wrote to memory of 600 2516 Lgpkobnb.exe 38 PID 2516 wrote to memory of 600 2516 Lgpkobnb.exe 38 PID 2516 wrote to memory of 600 2516 Lgpkobnb.exe 38 PID 600 wrote to memory of 2848 600 Lfckko32.exe 39 PID 600 wrote to memory of 2848 600 Lfckko32.exe 39 PID 600 wrote to memory of 2848 600 Lfckko32.exe 39 PID 600 wrote to memory of 2848 600 Lfckko32.exe 39 PID 2848 wrote to memory of 2836 2848 Lmmcgilj.exe 40 PID 2848 wrote to memory of 2836 2848 Lmmcgilj.exe 40 PID 2848 wrote to memory of 2836 2848 Lmmcgilj.exe 40 PID 2848 wrote to memory of 2836 2848 Lmmcgilj.exe 40 PID 2836 wrote to memory of 2108 2836 Lbjlppja.exe 41 PID 2836 wrote to memory of 2108 2836 Lbjlppja.exe 41 PID 2836 wrote to memory of 2108 2836 Lbjlppja.exe 41 PID 2836 wrote to memory of 2108 2836 Lbjlppja.exe 41 PID 2108 wrote to memory of 2068 2108 Lmppmi32.exe 42 PID 2108 wrote to memory of 2068 2108 Lmppmi32.exe 42 PID 2108 wrote to memory of 2068 2108 Lmppmi32.exe 42 PID 2108 wrote to memory of 2068 2108 Lmppmi32.exe 42 PID 2068 wrote to memory of 1232 2068 Lpnlid32.exe 43 PID 2068 wrote to memory of 1232 2068 Lpnlid32.exe 43 PID 2068 wrote to memory of 1232 2068 Lpnlid32.exe 43 PID 2068 wrote to memory of 1232 2068 Lpnlid32.exe 43 PID 1232 wrote to memory of 2556 1232 Lfhdeoqh.exe 44 PID 1232 wrote to memory of 2556 1232 Lfhdeoqh.exe 44 PID 1232 wrote to memory of 2556 1232 Lfhdeoqh.exe 44 PID 1232 wrote to memory of 2556 1232 Lfhdeoqh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3527a196e711fb4229ca051bdf94690N.exe"C:\Users\Admin\AppData\Local\Temp\b3527a196e711fb4229ca051bdf94690N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Kgienc32.exeC:\Windows\system32\Kgienc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Kncmknkg.exeC:\Windows\system32\Kncmknkg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Lcpecdio.exeC:\Windows\system32\Lcpecdio.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Lqdfmihh.exeC:\Windows\system32\Lqdfmihh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Lcbbidgl.exeC:\Windows\system32\Lcbbidgl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Lmkgajnm.exeC:\Windows\system32\Lmkgajnm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lqfbbh32.exeC:\Windows\system32\Lqfbbh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Lfckko32.exeC:\Windows\system32\Lfckko32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Lmmcgilj.exeC:\Windows\system32\Lmmcgilj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lbjlppja.exeC:\Windows\system32\Lbjlppja.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Lmppmi32.exeC:\Windows\system32\Lmppmi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Lpnlid32.exeC:\Windows\system32\Lpnlid32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Lfhdeoqh.exeC:\Windows\system32\Lfhdeoqh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Lekeak32.exeC:\Windows\system32\Lekeak32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Lmbmbi32.exeC:\Windows\system32\Lmbmbi32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Mfjaknoe.exeC:\Windows\system32\Mfjaknoe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Memagk32.exeC:\Windows\system32\Memagk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Mlgjce32.exeC:\Windows\system32\Mlgjce32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Madbll32.exeC:\Windows\system32\Madbll32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Mgnjhfbq.exeC:\Windows\system32\Mgnjhfbq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Mnhbep32.exeC:\Windows\system32\Mnhbep32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Mbcofobg.exeC:\Windows\system32\Mbcofobg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Mjocja32.exeC:\Windows\system32\Mjocja32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Mmmpfm32.exeC:\Windows\system32\Mmmpfm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Mcghcgfb.exeC:\Windows\system32\Mcghcgfb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Mhbdce32.exeC:\Windows\system32\Mhbdce32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Mmolll32.exeC:\Windows\system32\Mmolll32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mpnhhh32.exeC:\Windows\system32\Mpnhhh32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Nfgadbcc.exeC:\Windows\system32\Nfgadbcc.exe34⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Namebk32.exeC:\Windows\system32\Namebk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ndlanf32.exeC:\Windows\system32\Ndlanf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Nbnajcig.exeC:\Windows\system32\Nbnajcig.exe37⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nlgfbh32.exeC:\Windows\system32\Nlgfbh32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ndnncf32.exeC:\Windows\system32\Ndnncf32.exe39⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nbqnobge.exeC:\Windows\system32\Nbqnobge.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe41⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Nbckeb32.exeC:\Windows\system32\Nbckeb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Nhpcmi32.exeC:\Windows\system32\Nhpcmi32.exe43⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Nahhfoij.exeC:\Windows\system32\Nahhfoij.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Niopgljl.exeC:\Windows\system32\Niopgljl.exe46⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Nlnlcg32.exeC:\Windows\system32\Nlnlcg32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe49⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe50⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe51⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe52⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Okciddnh.exeC:\Windows\system32\Okciddnh.exe53⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe56⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ohginhma.exeC:\Windows\system32\Ohginhma.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe60⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Omdbfo32.exeC:\Windows\system32\Omdbfo32.exe61⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Opbnbj32.exeC:\Windows\system32\Opbnbj32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe63⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe66⤵PID:2324
-
C:\Windows\SysWOW64\Opdkgj32.exeC:\Windows\system32\Opdkgj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe68⤵PID:2016
-
C:\Windows\SysWOW64\Ogncddpg.exeC:\Windows\system32\Ogncddpg.exe69⤵PID:2784
-
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe70⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe71⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe74⤵PID:1720
-
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe75⤵PID:1228
-
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe76⤵PID:1724
-
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe77⤵PID:2000
-
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe78⤵PID:796
-
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe79⤵PID:3040
-
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe81⤵PID:2456
-
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe82⤵PID:1952
-
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe83⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe84⤵PID:3052
-
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe85⤵PID:2160
-
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe86⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe87⤵PID:2740
-
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe88⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe89⤵PID:2488
-
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe90⤵PID:2632
-
C:\Windows\SysWOW64\Pdnfalea.exeC:\Windows\system32\Pdnfalea.exe91⤵PID:2480
-
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Pkgonf32.exeC:\Windows\system32\Pkgonf32.exe93⤵PID:1096
-
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe94⤵PID:2460
-
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe95⤵PID:752
-
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:720 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe97⤵PID:2788
-
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe98⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe101⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe102⤵PID:1772
-
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe103⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe104⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe105⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe106⤵PID:1944
-
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe108⤵PID:584
-
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe109⤵PID:2780
-
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe112⤵PID:2280
-
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe113⤵PID:1748
-
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe114⤵PID:2952
-
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe115⤵PID:2308
-
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe116⤵PID:2400
-
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe118⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe119⤵PID:2412
-
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe120⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe121⤵PID:664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-