Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8eec561f36f37a4d8f736faffb95fbd0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8eec561f36f37a4d8f736faffb95fbd0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8eec561f36f37a4d8f736faffb95fbd0N.exe
-
Size
896KB
-
MD5
8eec561f36f37a4d8f736faffb95fbd0
-
SHA1
4c00b8466cbbefcedfc2f426971df47f45bccb62
-
SHA256
289630a1ea91643346899610b0cc9b50b683f25f61aee73cc3eb9e152a8b8102
-
SHA512
4e9ff8415dc1d6418c55ec6ad93549a0f6f97cc2d2e4ac77d6b10e5649c5c17287ee2bce9c1d2042d1731ef5131155520e04cb4ff8469c919cd5e638be750147
-
SSDEEP
6144:C7i5terWdsC5CPXbo92ynnZMqKLDK2Q9zsyVH3imoQiRLsmAKWEnaW377a85n0RM:DnFMusMH0QiRLsR4P377a20R01F50+5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnbhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceailog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciaefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjpdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 8eec561f36f37a4d8f736faffb95fbd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciaefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdqlajbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqnah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aficjnpm.exe -
Executes dropped EXE 64 IoCs
pid Process 2488 Bcmfmlen.exe 3004 Cjgoje32.exe 580 Cjlheehe.exe 2736 Ciaefa32.exe 2536 Chfbgn32.exe 2556 Dejbqb32.exe 2584 Dmhdkdlg.exe 2452 Dogpdg32.exe 340 Dahifbpk.exe 1388 Dicnkdnf.exe 2424 Eppcmncq.exe 1572 Epbpbnan.exe 2820 Fhbnbpjc.exe 2868 Fnofjfhk.exe 1628 Flfpabkp.exe 2396 Ffodjh32.exe 1228 Gceailog.exe 844 Ghajacmo.exe 908 Gbjojh32.exe 904 Gfejjgli.exe 2188 Gkbcbn32.exe 2240 Gonocmbi.exe 2108 Gifclb32.exe 1464 Gkephn32.exe 1112 Giipab32.exe 2964 Gjjmijme.exe 2892 Gqdefddb.exe 2716 Hkiicmdh.exe 2632 Hgpjhn32.exe 2900 Hpkompgg.exe 2816 Hcgjmo32.exe 2576 Hjacjifm.exe 2604 Hblgnkdh.exe 2980 Hifpke32.exe 2260 Hfjpdjjo.exe 2492 Hihlqeib.exe 1744 Iflmjihl.exe 1908 Ihniaa32.exe 2836 Ipeaco32.exe 2568 Ieajkfmd.exe 2920 Iahkpg32.exe 1632 Idgglb32.exe 704 Imokehhl.exe 1672 Ihdpbq32.exe 968 Iamdkfnc.exe 1644 Ippdgc32.exe 2112 Ihglhp32.exe 2936 Jmdepg32.exe 1232 Jfliim32.exe 2056 Jkhejkcq.exe 2800 Jpdnbbah.exe 2140 Jfofol32.exe 2752 Jmhnkfpa.exe 2552 Jpgjgboe.exe 2592 Jbefcm32.exe 1916 Jioopgef.exe 1892 Jhbold32.exe 544 Jbhcim32.exe 2516 Jlphbbbg.exe 556 Jampjian.exe 2956 Kdklfe32.exe 272 Koaqcn32.exe 1332 Kekiphge.exe 1684 Knfndjdp.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 8eec561f36f37a4d8f736faffb95fbd0N.exe 2072 8eec561f36f37a4d8f736faffb95fbd0N.exe 2488 Bcmfmlen.exe 2488 Bcmfmlen.exe 3004 Cjgoje32.exe 3004 Cjgoje32.exe 580 Cjlheehe.exe 580 Cjlheehe.exe 2736 Ciaefa32.exe 2736 Ciaefa32.exe 2536 Chfbgn32.exe 2536 Chfbgn32.exe 2556 Dejbqb32.exe 2556 Dejbqb32.exe 2584 Dmhdkdlg.exe 2584 Dmhdkdlg.exe 2452 Dogpdg32.exe 2452 Dogpdg32.exe 340 Dahifbpk.exe 340 Dahifbpk.exe 1388 Dicnkdnf.exe 1388 Dicnkdnf.exe 2424 Eppcmncq.exe 2424 Eppcmncq.exe 1572 Epbpbnan.exe 1572 Epbpbnan.exe 2820 Fhbnbpjc.exe 2820 Fhbnbpjc.exe 2868 Fnofjfhk.exe 2868 Fnofjfhk.exe 1628 Flfpabkp.exe 1628 Flfpabkp.exe 2396 Ffodjh32.exe 2396 Ffodjh32.exe 1228 Gceailog.exe 1228 Gceailog.exe 844 Ghajacmo.exe 844 Ghajacmo.exe 908 Gbjojh32.exe 908 Gbjojh32.exe 904 Gfejjgli.exe 904 Gfejjgli.exe 2188 Gkbcbn32.exe 2188 Gkbcbn32.exe 2240 Gonocmbi.exe 2240 Gonocmbi.exe 2108 Gifclb32.exe 2108 Gifclb32.exe 1464 Gkephn32.exe 1464 Gkephn32.exe 1112 Giipab32.exe 1112 Giipab32.exe 2964 Gjjmijme.exe 2964 Gjjmijme.exe 2892 Gqdefddb.exe 2892 Gqdefddb.exe 2716 Hkiicmdh.exe 2716 Hkiicmdh.exe 2632 Hgpjhn32.exe 2632 Hgpjhn32.exe 2900 Hpkompgg.exe 2900 Hpkompgg.exe 2816 Hcgjmo32.exe 2816 Hcgjmo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hkiicmdh.exe Gqdefddb.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Binbknik.dll Alqnah32.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Cbblda32.exe File created C:\Windows\SysWOW64\Pdmjki32.dll Epbpbnan.exe File opened for modification C:\Windows\SysWOW64\Gceailog.exe Ffodjh32.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gceailog.exe File created C:\Windows\SysWOW64\Jmhnkfpa.exe Jfofol32.exe File created C:\Windows\SysWOW64\Khoqme32.dll Ajmijmnn.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Jfliim32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mcnbhb32.exe File created C:\Windows\SysWOW64\Nbjeinje.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Maanne32.dll Aaimopli.exe File created C:\Windows\SysWOW64\Kpdjaecc.exe Knfndjdp.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Andgop32.exe File created C:\Windows\SysWOW64\Hdhlfoln.dll Bcmfmlen.exe File opened for modification C:\Windows\SysWOW64\Oidiekdn.exe Offmipej.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Hblgnkdh.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Eicjoa32.dll Nlnpgd32.exe File opened for modification C:\Windows\SysWOW64\Omklkkpl.exe Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Qdncmgbj.exe Qpbglhjq.exe File created C:\Windows\SysWOW64\Oefmcdfq.dll Hihlqeib.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Kjfkcopd.dll Phlclgfc.exe File created C:\Windows\SysWOW64\Kgloog32.dll Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Gkephn32.exe Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Nnmlcp32.exe Nlnpgd32.exe File created C:\Windows\SysWOW64\Cfibop32.dll Pmkhjncg.exe File created C:\Windows\SysWOW64\Bpjmnknl.dll Fnofjfhk.exe File created C:\Windows\SysWOW64\Nbmaon32.exe Neiaeiii.exe File created C:\Windows\SysWOW64\Enjmdhnf.dll Ofhjopbg.exe File created C:\Windows\SysWOW64\Ckhdggom.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Ncnngfna.exe Neknki32.exe File created C:\Windows\SysWOW64\Giddhc32.dll Oippjl32.exe File created C:\Windows\SysWOW64\Ffeganon.dll Pbagipfi.exe File created C:\Windows\SysWOW64\Fffgkhmc.dll Mbhlek32.exe File created C:\Windows\SysWOW64\Opqoge32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qgjccb32.exe File created C:\Windows\SysWOW64\Akcomepg.exe Alqnah32.exe File created C:\Windows\SysWOW64\Chfbgn32.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Pohbak32.dll Mfokinhf.exe File opened for modification C:\Windows\SysWOW64\Gfejjgli.exe Gbjojh32.exe File created C:\Windows\SysWOW64\Kkfmcc32.dll Gjjmijme.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Padhdm32.exe File created C:\Windows\SysWOW64\Qojieb32.dll Dicnkdnf.exe File created C:\Windows\SysWOW64\Lngkoe32.dll Gqdefddb.exe File opened for modification C:\Windows\SysWOW64\Dahifbpk.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Eppcmncq.exe Dicnkdnf.exe File opened for modification C:\Windows\SysWOW64\Epbpbnan.exe Eppcmncq.exe File opened for modification C:\Windows\SysWOW64\Lcjlnpmo.exe Kpkpadnl.exe File created C:\Windows\SysWOW64\Ifhckf32.dll Mkqqnq32.exe File opened for modification C:\Windows\SysWOW64\Ohncbdbd.exe Opglafab.exe File created C:\Windows\SysWOW64\Pmpbdm32.exe Pkaehb32.exe File created C:\Windows\SysWOW64\Mfhmmndi.dll Alnalh32.exe File created C:\Windows\SysWOW64\Ahmiofbn.dll Dmhdkdlg.exe File opened for modification C:\Windows\SysWOW64\Hjacjifm.exe Hcgjmo32.exe File opened for modification C:\Windows\SysWOW64\Lbcbjlmb.exe Loefnpnn.exe File created C:\Windows\SysWOW64\Mkqqnq32.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Qlfgce32.dll Nedhjj32.exe File created C:\Windows\SysWOW64\Hpqnnmcd.dll Aqbdkk32.exe File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Nebhgckp.dll Fhbnbpjc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3668 3636 WerFault.exe 219 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlphbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8eec561f36f37a4d8f736faffb95fbd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekiphge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojieb32.dll" Dicnkdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpbglhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll" Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecpilip.dll" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmicfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omklkkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Gjjmijme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjpijfl.dll" Lbfook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocnkj32.dll" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojojafnk.dll" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjffnf32.dll" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgiha32.dll" Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Nbmaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjmdhnf.dll" Ofhjopbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieajkfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkgbapp.dll" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkpadnl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2488 2072 8eec561f36f37a4d8f736faffb95fbd0N.exe 30 PID 2072 wrote to memory of 2488 2072 8eec561f36f37a4d8f736faffb95fbd0N.exe 30 PID 2072 wrote to memory of 2488 2072 8eec561f36f37a4d8f736faffb95fbd0N.exe 30 PID 2072 wrote to memory of 2488 2072 8eec561f36f37a4d8f736faffb95fbd0N.exe 30 PID 2488 wrote to memory of 3004 2488 Bcmfmlen.exe 31 PID 2488 wrote to memory of 3004 2488 Bcmfmlen.exe 31 PID 2488 wrote to memory of 3004 2488 Bcmfmlen.exe 31 PID 2488 wrote to memory of 3004 2488 Bcmfmlen.exe 31 PID 3004 wrote to memory of 580 3004 Cjgoje32.exe 32 PID 3004 wrote to memory of 580 3004 Cjgoje32.exe 32 PID 3004 wrote to memory of 580 3004 Cjgoje32.exe 32 PID 3004 wrote to memory of 580 3004 Cjgoje32.exe 32 PID 580 wrote to memory of 2736 580 Cjlheehe.exe 33 PID 580 wrote to memory of 2736 580 Cjlheehe.exe 33 PID 580 wrote to memory of 2736 580 Cjlheehe.exe 33 PID 580 wrote to memory of 2736 580 Cjlheehe.exe 33 PID 2736 wrote to memory of 2536 2736 Ciaefa32.exe 34 PID 2736 wrote to memory of 2536 2736 Ciaefa32.exe 34 PID 2736 wrote to memory of 2536 2736 Ciaefa32.exe 34 PID 2736 wrote to memory of 2536 2736 Ciaefa32.exe 34 PID 2536 wrote to memory of 2556 2536 Chfbgn32.exe 35 PID 2536 wrote to memory of 2556 2536 Chfbgn32.exe 35 PID 2536 wrote to memory of 2556 2536 Chfbgn32.exe 35 PID 2536 wrote to memory of 2556 2536 Chfbgn32.exe 35 PID 2556 wrote to memory of 2584 2556 Dejbqb32.exe 36 PID 2556 wrote to memory of 2584 2556 Dejbqb32.exe 36 PID 2556 wrote to memory of 2584 2556 Dejbqb32.exe 36 PID 2556 wrote to memory of 2584 2556 Dejbqb32.exe 36 PID 2584 wrote to memory of 2452 2584 Dmhdkdlg.exe 37 PID 2584 wrote to memory of 2452 2584 Dmhdkdlg.exe 37 PID 2584 wrote to memory of 2452 2584 Dmhdkdlg.exe 37 PID 2584 wrote to memory of 2452 2584 Dmhdkdlg.exe 37 PID 2452 wrote to memory of 340 2452 Dogpdg32.exe 38 PID 2452 wrote to memory of 340 2452 Dogpdg32.exe 38 PID 2452 wrote to memory of 340 2452 Dogpdg32.exe 38 PID 2452 wrote to memory of 340 2452 Dogpdg32.exe 38 PID 340 wrote to memory of 1388 340 Dahifbpk.exe 39 PID 340 wrote to memory of 1388 340 Dahifbpk.exe 39 PID 340 wrote to memory of 1388 340 Dahifbpk.exe 39 PID 340 wrote to memory of 1388 340 Dahifbpk.exe 39 PID 1388 wrote to memory of 2424 1388 Dicnkdnf.exe 40 PID 1388 wrote to memory of 2424 1388 Dicnkdnf.exe 40 PID 1388 wrote to memory of 2424 1388 Dicnkdnf.exe 40 PID 1388 wrote to memory of 2424 1388 Dicnkdnf.exe 40 PID 2424 wrote to memory of 1572 2424 Eppcmncq.exe 41 PID 2424 wrote to memory of 1572 2424 Eppcmncq.exe 41 PID 2424 wrote to memory of 1572 2424 Eppcmncq.exe 41 PID 2424 wrote to memory of 1572 2424 Eppcmncq.exe 41 PID 1572 wrote to memory of 2820 1572 Epbpbnan.exe 42 PID 1572 wrote to memory of 2820 1572 Epbpbnan.exe 42 PID 1572 wrote to memory of 2820 1572 Epbpbnan.exe 42 PID 1572 wrote to memory of 2820 1572 Epbpbnan.exe 42 PID 2820 wrote to memory of 2868 2820 Fhbnbpjc.exe 43 PID 2820 wrote to memory of 2868 2820 Fhbnbpjc.exe 43 PID 2820 wrote to memory of 2868 2820 Fhbnbpjc.exe 43 PID 2820 wrote to memory of 2868 2820 Fhbnbpjc.exe 43 PID 2868 wrote to memory of 1628 2868 Fnofjfhk.exe 44 PID 2868 wrote to memory of 1628 2868 Fnofjfhk.exe 44 PID 2868 wrote to memory of 1628 2868 Fnofjfhk.exe 44 PID 2868 wrote to memory of 1628 2868 Fnofjfhk.exe 44 PID 1628 wrote to memory of 2396 1628 Flfpabkp.exe 45 PID 1628 wrote to memory of 2396 1628 Flfpabkp.exe 45 PID 1628 wrote to memory of 2396 1628 Flfpabkp.exe 45 PID 1628 wrote to memory of 2396 1628 Flfpabkp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eec561f36f37a4d8f736faffb95fbd0N.exe"C:\Users\Admin\AppData\Local\Temp\8eec561f36f37a4d8f736faffb95fbd0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe35⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe45⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe47⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe61⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe62⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe67⤵PID:1588
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe69⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe72⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe74⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe75⤵PID:2788
-
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe76⤵PID:2984
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe80⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe81⤵PID:2988
-
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe82⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe83⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe84⤵PID:780
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe85⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe86⤵PID:1976
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe88⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe89⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe93⤵PID:1372
-
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe94⤵PID:1924
-
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe98⤵PID:1720
-
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe100⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe101⤵PID:1544
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe102⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe105⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe110⤵
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe111⤵
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe113⤵PID:3048
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe114⤵PID:2688
-
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe117⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe121⤵
- Modifies registry class
PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-