Analysis
-
max time kernel
117s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 16:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
586d012a5a39c5a1532489b06f0acf00N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
586d012a5a39c5a1532489b06f0acf00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
586d012a5a39c5a1532489b06f0acf00N.exe
-
Size
276KB
-
MD5
586d012a5a39c5a1532489b06f0acf00
-
SHA1
333bb9373951f10204c75a6b24e8986f47a2357f
-
SHA256
3544f453ea2c3e66d305e1e46d6488cedfb3118385a1b4c84439752a05bab262
-
SHA512
0466caae3fd087ddc61d04a1de2e140c65cbe7ee16ade6277d3b2d6126a1e0ab16739bd9b7bf7e5638f1f4d5644a9ec371a493de76dbee3aeacf01b05e5e1930
-
SSDEEP
6144:CUOsCa5P/JczUdZMGXF5ahdt3rM8d7TtLa:CUJBcAXFWtJ9O
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iffggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kepjbneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Likbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mideho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgalpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noajoihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigcgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepjbneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhdfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phgjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aljinncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllkckme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajoiqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikjcikm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjoap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaego32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noajoihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondcacad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labjcmqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcecpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabonopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkcfdgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbfhkfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gogipbln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeapgng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnkdjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjohlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcddjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondcacad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plqjilia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bebmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Holcka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lllkckme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pengmqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikgijelc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpccibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkeapgng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcmiqdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndgiok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocfdhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnabkgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohejibe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokapipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 586d012a5a39c5a1532489b06f0acf00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkchkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mafpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlpamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbncmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgjnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepdbpii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfaqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iocekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfbckfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khpccibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mofgkebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncaokgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncaokgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbdpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfadke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfadke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepqac32.exe -
Executes dropped EXE 64 IoCs
pid Process 2680 Glimdgmj.exe 2328 Gogipbln.exe 1252 Gojfeb32.exe 2736 Gcebfqbd.exe 2752 Holcka32.exe 2884 Hhdgdg32.exe 2732 Hkccpb32.exe 2628 Hgjdecca.exe 2112 Hnclbn32.exe 1720 Hjjmgo32.exe 2216 Hqdeciho.exe 1680 Inhfmmfi.exe 2904 Icenedep.exe 1144 Iibgmk32.exe 2412 Iffggo32.exe 1540 Ikeldenf.exe 1188 Iboeap32.exe 932 Ikgijelc.exe 1876 Iocekd32.exe 1984 Ibaago32.exe 1760 Jikjcikm.exe 236 Jnhblp32.exe 2960 Jebjijqa.exe 884 Jklbed32.exe 2344 Jnjoap32.exe 1608 Jcggjg32.exe 2464 Jgccjenb.exe 2084 Jmplbl32.exe 2460 Jcidofcf.exe 2808 Jfhpkbbj.exe 2816 Jandikbp.exe 2624 Jjfiap32.exe 2596 Jiiimmok.exe 3040 Kbanfbfk.exe 2384 Kepjbneo.exe 2436 Kmfbckfa.exe 2924 Kbcjkbdi.exe 1996 Khpccibp.exe 1568 Kpgkef32.exe 1856 Kedcmm32.exe 1956 Khbpii32.exe 2844 Komhfcgj.exe 1592 Kbhdfa32.exe 924 Kefpbm32.exe 1500 Kheloh32.exe 1108 Kkchkd32.exe 1448 Kmaego32.exe 1560 Kamahn32.exe 2944 Khgidhlh.exe 372 Loaaab32.exe 1704 Lmdamojp.exe 2700 Lpbnijic.exe 2812 Lhjfjhje.exe 2720 Lkhbfcii.exe 2644 Likbap32.exe 2880 Labjcmqf.exe 2128 Lbcgje32.exe 2036 Lkjolc32.exe 1972 Lllkckme.exe 1928 Lcecpe32.exe 600 Lgaoqdmk.exe 2992 Liplmolo.exe 2968 Llnhikkb.exe 764 Loldefjf.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 586d012a5a39c5a1532489b06f0acf00N.exe 2364 586d012a5a39c5a1532489b06f0acf00N.exe 2680 Glimdgmj.exe 2680 Glimdgmj.exe 2328 Gogipbln.exe 2328 Gogipbln.exe 1252 Gojfeb32.exe 1252 Gojfeb32.exe 2736 Gcebfqbd.exe 2736 Gcebfqbd.exe 2752 Holcka32.exe 2752 Holcka32.exe 2884 Hhdgdg32.exe 2884 Hhdgdg32.exe 2732 Hkccpb32.exe 2732 Hkccpb32.exe 2628 Hgjdecca.exe 2628 Hgjdecca.exe 2112 Hnclbn32.exe 2112 Hnclbn32.exe 1720 Hjjmgo32.exe 1720 Hjjmgo32.exe 2216 Hqdeciho.exe 2216 Hqdeciho.exe 1680 Inhfmmfi.exe 1680 Inhfmmfi.exe 2904 Icenedep.exe 2904 Icenedep.exe 1144 Iibgmk32.exe 1144 Iibgmk32.exe 2412 Iffggo32.exe 2412 Iffggo32.exe 1540 Ikeldenf.exe 1540 Ikeldenf.exe 1188 Iboeap32.exe 1188 Iboeap32.exe 932 Ikgijelc.exe 932 Ikgijelc.exe 1876 Iocekd32.exe 1876 Iocekd32.exe 1984 Ibaago32.exe 1984 Ibaago32.exe 1760 Jikjcikm.exe 1760 Jikjcikm.exe 236 Jnhblp32.exe 236 Jnhblp32.exe 2960 Jebjijqa.exe 2960 Jebjijqa.exe 884 Jklbed32.exe 884 Jklbed32.exe 2344 Jnjoap32.exe 2344 Jnjoap32.exe 1608 Jcggjg32.exe 1608 Jcggjg32.exe 2464 Jgccjenb.exe 2464 Jgccjenb.exe 2084 Jmplbl32.exe 2084 Jmplbl32.exe 2460 Jcidofcf.exe 2460 Jcidofcf.exe 2808 Jfhpkbbj.exe 2808 Jfhpkbbj.exe 2816 Jandikbp.exe 2816 Jandikbp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oojmegqa.exe Ogcddjpo.exe File opened for modification C:\Windows\SysWOW64\Qagehaon.exe Qohilfpj.exe File created C:\Windows\SysWOW64\Aljinncb.exe Aepqac32.exe File created C:\Windows\SysWOW64\Gogipbln.exe Glimdgmj.exe File created C:\Windows\SysWOW64\Loaaab32.exe Khgidhlh.exe File opened for modification C:\Windows\SysWOW64\Mgcheg32.exe Mdelik32.exe File opened for modification C:\Windows\SysWOW64\Iocekd32.exe Ikgijelc.exe File created C:\Windows\SysWOW64\Lhjfjhje.exe Lpbnijic.exe File opened for modification C:\Windows\SysWOW64\Aibjlcli.exe Ajoiqg32.exe File created C:\Windows\SysWOW64\Oqpbhobj.exe Omdfgq32.exe File created C:\Windows\SysWOW64\Ffhkbn32.dll Glimdgmj.exe File created C:\Windows\SysWOW64\Ekoelpgo.dll Holcka32.exe File created C:\Windows\SysWOW64\Lbcgje32.exe Labjcmqf.exe File opened for modification C:\Windows\SysWOW64\Iffggo32.exe Iibgmk32.exe File created C:\Windows\SysWOW64\Kbanfbfk.exe Jiiimmok.exe File created C:\Windows\SysWOW64\Pqhpil32.dll Plecdk32.exe File created C:\Windows\SysWOW64\Jnjoap32.exe Jklbed32.exe File opened for modification C:\Windows\SysWOW64\Lllkckme.exe Lkjolc32.exe File opened for modification C:\Windows\SysWOW64\Noajoihl.exe Nlbncmih.exe File created C:\Windows\SysWOW64\Nfkblc32.exe Nclfpg32.exe File created C:\Windows\SysWOW64\Ojdnfemp.exe Oibanm32.exe File opened for modification C:\Windows\SysWOW64\Qnflff32.exe Qjkpegic.exe File opened for modification C:\Windows\SysWOW64\Jjfiap32.exe Jandikbp.exe File opened for modification C:\Windows\SysWOW64\Loaaab32.exe Khgidhlh.exe File created C:\Windows\SysWOW64\Hcomjk32.dll Madcgpao.exe File created C:\Windows\SysWOW64\Akngopbd.dll Mgcheg32.exe File opened for modification C:\Windows\SysWOW64\Pfadke32.exe Pbfhkfdc.exe File created C:\Windows\SysWOW64\Gckadb32.dll Pffnfdhg.exe File created C:\Windows\SysWOW64\Aaiamamk.exe Aibjlcli.exe File created C:\Windows\SysWOW64\Lmdamojp.exe Loaaab32.exe File opened for modification C:\Windows\SysWOW64\Lmdamojp.exe Loaaab32.exe File created C:\Windows\SysWOW64\Mnfjab32.exe Mocjeedn.exe File created C:\Windows\SysWOW64\Obkegbnb.exe Ojdnfemp.exe File opened for modification C:\Windows\SysWOW64\Akafff32.exe Abjnei32.exe File created C:\Windows\SysWOW64\Bgpjnkoe.dll Iocekd32.exe File created C:\Windows\SysWOW64\Ogqfcljn.dll Kheloh32.exe File created C:\Windows\SysWOW64\Nlpamn32.exe Mgcheg32.exe File created C:\Windows\SysWOW64\Lmkihfem.dll Mhnkdjhl.exe File created C:\Windows\SysWOW64\Gjcgdi32.dll Khbpii32.exe File created C:\Windows\SysWOW64\Plnmcl32.exe Pmlmhodi.exe File created C:\Windows\SysWOW64\Hqdeciho.exe Hjjmgo32.exe File created C:\Windows\SysWOW64\Hdlkmb32.dll Mnfjab32.exe File created C:\Windows\SysWOW64\Qagehaon.exe Qohilfpj.exe File created C:\Windows\SysWOW64\Adeadmna.exe Qagehaon.exe File created C:\Windows\SysWOW64\Onelkh32.dll Hnclbn32.exe File created C:\Windows\SysWOW64\Lmqbqb32.dll Nbacqdem.exe File created C:\Windows\SysWOW64\Jgclpoad.dll Ofbhlbja.exe File created C:\Windows\SysWOW64\Jiiimmok.exe Jjfiap32.exe File created C:\Windows\SysWOW64\Khgidhlh.exe Kamahn32.exe File created C:\Windows\SysWOW64\Pdoigp32.dll Loaaab32.exe File created C:\Windows\SysWOW64\Qjkpegic.exe Pdqhin32.exe File created C:\Windows\SysWOW64\Hhdgdg32.exe Holcka32.exe File opened for modification C:\Windows\SysWOW64\Ibaago32.exe Iocekd32.exe File created C:\Windows\SysWOW64\Jmplbl32.exe Jgccjenb.exe File opened for modification C:\Windows\SysWOW64\Kepjbneo.exe Kbanfbfk.exe File opened for modification C:\Windows\SysWOW64\Plqjilia.exe Pegalaad.exe File opened for modification C:\Windows\SysWOW64\Hkccpb32.exe Hhdgdg32.exe File created C:\Windows\SysWOW64\Hncfhf32.dll Jnhblp32.exe File created C:\Windows\SysWOW64\Jandikbp.exe Jfhpkbbj.exe File created C:\Windows\SysWOW64\Ndpqii32.dll Afhgkg32.exe File opened for modification C:\Windows\SysWOW64\Apakdmpp.exe Aigcgc32.exe File created C:\Windows\SysWOW64\Lhohkd32.dll Iibgmk32.exe File opened for modification C:\Windows\SysWOW64\Kheloh32.exe Kefpbm32.exe File created C:\Windows\SysWOW64\Gemike32.dll Lhjfjhje.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3256 3232 WerFault.exe 215 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohejibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhibik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbhlbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plecdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abadeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepqac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfadke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhepfbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banggcka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhblp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mideho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcfokfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjkpegic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhgkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmhodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikeldenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcggjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcidofcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbanfbfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhdfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkbff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepdbpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdqhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibgmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgclfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okcjphdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegalaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojmegqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampbbbbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhfmmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labjcmqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madcgpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgalpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclfpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcddjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbncmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkmnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 586d012a5a39c5a1532489b06f0acf00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkccpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkchkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdagbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obiiacpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboeap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjohlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnhcnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfhkfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagehaon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apakdmpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokapipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhinhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjnei32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oibanm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhdgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkccpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemike32.dll" Lhjfjhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoigakm.dll" Mkeapgng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbkbff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnabkgfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhohkd32.dll" Iibgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khgidhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plldojmm.dll" Lcecpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djlfpl32.dll" Oabonopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plecdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampbbbbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nocfdhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenchbje.dll" Abadeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibaago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojojn32.dll" Kmfbckfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjbbbgql.dll" Meiigppp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mafpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afhgkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iibgmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhibik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mafpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmjmcbl.dll" Ncaokgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeibcnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiamamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjdjb32.dll" Khpccibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcecpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmlmhodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qohilfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Labjcmqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjmkdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbncmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhjhefb.dll" Plnmcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kefpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqegbnnl.dll" Ngeekfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nclfpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcbhfd32.dll" Inhfmmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkpkkoa.dll" Bjgoff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llnhikkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlpamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpbblaf.dll" Ampbbbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcebfqbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfhdkdp.dll" Mideho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgndfeek.dll" Ondcacad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loldefjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmiccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plcfokfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcidofcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehoabj.dll" Oqpbhobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pffnfdhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiiimmok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeibcnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahamdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinjbgkb.dll" Lkjolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhibik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbhepfbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgjdecca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jklbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbhdfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdngh32.dll" Kefpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfamhn32.dll" Aaiamamk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2680 2364 586d012a5a39c5a1532489b06f0acf00N.exe 29 PID 2364 wrote to memory of 2680 2364 586d012a5a39c5a1532489b06f0acf00N.exe 29 PID 2364 wrote to memory of 2680 2364 586d012a5a39c5a1532489b06f0acf00N.exe 29 PID 2364 wrote to memory of 2680 2364 586d012a5a39c5a1532489b06f0acf00N.exe 29 PID 2680 wrote to memory of 2328 2680 Glimdgmj.exe 30 PID 2680 wrote to memory of 2328 2680 Glimdgmj.exe 30 PID 2680 wrote to memory of 2328 2680 Glimdgmj.exe 30 PID 2680 wrote to memory of 2328 2680 Glimdgmj.exe 30 PID 2328 wrote to memory of 1252 2328 Gogipbln.exe 31 PID 2328 wrote to memory of 1252 2328 Gogipbln.exe 31 PID 2328 wrote to memory of 1252 2328 Gogipbln.exe 31 PID 2328 wrote to memory of 1252 2328 Gogipbln.exe 31 PID 1252 wrote to memory of 2736 1252 Gojfeb32.exe 32 PID 1252 wrote to memory of 2736 1252 Gojfeb32.exe 32 PID 1252 wrote to memory of 2736 1252 Gojfeb32.exe 32 PID 1252 wrote to memory of 2736 1252 Gojfeb32.exe 32 PID 2736 wrote to memory of 2752 2736 Gcebfqbd.exe 33 PID 2736 wrote to memory of 2752 2736 Gcebfqbd.exe 33 PID 2736 wrote to memory of 2752 2736 Gcebfqbd.exe 33 PID 2736 wrote to memory of 2752 2736 Gcebfqbd.exe 33 PID 2752 wrote to memory of 2884 2752 Holcka32.exe 34 PID 2752 wrote to memory of 2884 2752 Holcka32.exe 34 PID 2752 wrote to memory of 2884 2752 Holcka32.exe 34 PID 2752 wrote to memory of 2884 2752 Holcka32.exe 34 PID 2884 wrote to memory of 2732 2884 Hhdgdg32.exe 35 PID 2884 wrote to memory of 2732 2884 Hhdgdg32.exe 35 PID 2884 wrote to memory of 2732 2884 Hhdgdg32.exe 35 PID 2884 wrote to memory of 2732 2884 Hhdgdg32.exe 35 PID 2732 wrote to memory of 2628 2732 Hkccpb32.exe 36 PID 2732 wrote to memory of 2628 2732 Hkccpb32.exe 36 PID 2732 wrote to memory of 2628 2732 Hkccpb32.exe 36 PID 2732 wrote to memory of 2628 2732 Hkccpb32.exe 36 PID 2628 wrote to memory of 2112 2628 Hgjdecca.exe 37 PID 2628 wrote to memory of 2112 2628 Hgjdecca.exe 37 PID 2628 wrote to memory of 2112 2628 Hgjdecca.exe 37 PID 2628 wrote to memory of 2112 2628 Hgjdecca.exe 37 PID 2112 wrote to memory of 1720 2112 Hnclbn32.exe 38 PID 2112 wrote to memory of 1720 2112 Hnclbn32.exe 38 PID 2112 wrote to memory of 1720 2112 Hnclbn32.exe 38 PID 2112 wrote to memory of 1720 2112 Hnclbn32.exe 38 PID 1720 wrote to memory of 2216 1720 Hjjmgo32.exe 39 PID 1720 wrote to memory of 2216 1720 Hjjmgo32.exe 39 PID 1720 wrote to memory of 2216 1720 Hjjmgo32.exe 39 PID 1720 wrote to memory of 2216 1720 Hjjmgo32.exe 39 PID 2216 wrote to memory of 1680 2216 Hqdeciho.exe 40 PID 2216 wrote to memory of 1680 2216 Hqdeciho.exe 40 PID 2216 wrote to memory of 1680 2216 Hqdeciho.exe 40 PID 2216 wrote to memory of 1680 2216 Hqdeciho.exe 40 PID 1680 wrote to memory of 2904 1680 Inhfmmfi.exe 41 PID 1680 wrote to memory of 2904 1680 Inhfmmfi.exe 41 PID 1680 wrote to memory of 2904 1680 Inhfmmfi.exe 41 PID 1680 wrote to memory of 2904 1680 Inhfmmfi.exe 41 PID 2904 wrote to memory of 1144 2904 Icenedep.exe 42 PID 2904 wrote to memory of 1144 2904 Icenedep.exe 42 PID 2904 wrote to memory of 1144 2904 Icenedep.exe 42 PID 2904 wrote to memory of 1144 2904 Icenedep.exe 42 PID 1144 wrote to memory of 2412 1144 Iibgmk32.exe 43 PID 1144 wrote to memory of 2412 1144 Iibgmk32.exe 43 PID 1144 wrote to memory of 2412 1144 Iibgmk32.exe 43 PID 1144 wrote to memory of 2412 1144 Iibgmk32.exe 43 PID 2412 wrote to memory of 1540 2412 Iffggo32.exe 44 PID 2412 wrote to memory of 1540 2412 Iffggo32.exe 44 PID 2412 wrote to memory of 1540 2412 Iffggo32.exe 44 PID 2412 wrote to memory of 1540 2412 Iffggo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\586d012a5a39c5a1532489b06f0acf00N.exe"C:\Users\Admin\AppData\Local\Temp\586d012a5a39c5a1532489b06f0acf00N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Glimdgmj.exeC:\Windows\system32\Glimdgmj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Gogipbln.exeC:\Windows\system32\Gogipbln.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gojfeb32.exeC:\Windows\system32\Gojfeb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Gcebfqbd.exeC:\Windows\system32\Gcebfqbd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Holcka32.exeC:\Windows\system32\Holcka32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Hhdgdg32.exeC:\Windows\system32\Hhdgdg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Hkccpb32.exeC:\Windows\system32\Hkccpb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Hgjdecca.exeC:\Windows\system32\Hgjdecca.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hnclbn32.exeC:\Windows\system32\Hnclbn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Hjjmgo32.exeC:\Windows\system32\Hjjmgo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Hqdeciho.exeC:\Windows\system32\Hqdeciho.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Inhfmmfi.exeC:\Windows\system32\Inhfmmfi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Icenedep.exeC:\Windows\system32\Icenedep.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Iibgmk32.exeC:\Windows\system32\Iibgmk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Iffggo32.exeC:\Windows\system32\Iffggo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ikeldenf.exeC:\Windows\system32\Ikeldenf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Iboeap32.exeC:\Windows\system32\Iboeap32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Ikgijelc.exeC:\Windows\system32\Ikgijelc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Iocekd32.exeC:\Windows\system32\Iocekd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Ibaago32.exeC:\Windows\system32\Ibaago32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Jikjcikm.exeC:\Windows\system32\Jikjcikm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Jnhblp32.exeC:\Windows\system32\Jnhblp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Jebjijqa.exeC:\Windows\system32\Jebjijqa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Jklbed32.exeC:\Windows\system32\Jklbed32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Jnjoap32.exeC:\Windows\system32\Jnjoap32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Jcggjg32.exeC:\Windows\system32\Jcggjg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Jgccjenb.exeC:\Windows\system32\Jgccjenb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Jmplbl32.exeC:\Windows\system32\Jmplbl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Jcidofcf.exeC:\Windows\system32\Jcidofcf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Jfhpkbbj.exeC:\Windows\system32\Jfhpkbbj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Jandikbp.exeC:\Windows\system32\Jandikbp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Jjfiap32.exeC:\Windows\system32\Jjfiap32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jiiimmok.exeC:\Windows\system32\Jiiimmok.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Kbanfbfk.exeC:\Windows\system32\Kbanfbfk.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Kepjbneo.exeC:\Windows\system32\Kepjbneo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Kmfbckfa.exeC:\Windows\system32\Kmfbckfa.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Kbcjkbdi.exeC:\Windows\system32\Kbcjkbdi.exe38⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Khpccibp.exeC:\Windows\system32\Khpccibp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Kpgkef32.exeC:\Windows\system32\Kpgkef32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Kedcmm32.exeC:\Windows\system32\Kedcmm32.exe41⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Khbpii32.exeC:\Windows\system32\Khbpii32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Komhfcgj.exeC:\Windows\system32\Komhfcgj.exe43⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Kbhdfa32.exeC:\Windows\system32\Kbhdfa32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Kefpbm32.exeC:\Windows\system32\Kefpbm32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Kheloh32.exeC:\Windows\system32\Kheloh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Kkchkd32.exeC:\Windows\system32\Kkchkd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Kmaego32.exeC:\Windows\system32\Kmaego32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Kamahn32.exeC:\Windows\system32\Kamahn32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Khgidhlh.exeC:\Windows\system32\Khgidhlh.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Loaaab32.exeC:\Windows\system32\Loaaab32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Lmdamojp.exeC:\Windows\system32\Lmdamojp.exe52⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Lpbnijic.exeC:\Windows\system32\Lpbnijic.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Lhjfjhje.exeC:\Windows\system32\Lhjfjhje.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Lkhbfcii.exeC:\Windows\system32\Lkhbfcii.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Likbap32.exeC:\Windows\system32\Likbap32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Labjcmqf.exeC:\Windows\system32\Labjcmqf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lbcgje32.exeC:\Windows\system32\Lbcgje32.exe58⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lkjolc32.exeC:\Windows\system32\Lkjolc32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Lllkckme.exeC:\Windows\system32\Lllkckme.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lcecpe32.exeC:\Windows\system32\Lcecpe32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Lgaoqdmk.exeC:\Windows\system32\Lgaoqdmk.exe62⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Liplmolo.exeC:\Windows\system32\Liplmolo.exe63⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Llnhikkb.exeC:\Windows\system32\Llnhikkb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Loldefjf.exeC:\Windows\system32\Loldefjf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Lgclfc32.exeC:\Windows\system32\Lgclfc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Libhbo32.exeC:\Windows\system32\Libhbo32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Llpdnj32.exeC:\Windows\system32\Llpdnj32.exe68⤵PID:1104
-
C:\Windows\SysWOW64\Mcjmkdpl.exeC:\Windows\system32\Mcjmkdpl.exe69⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Meiigppp.exeC:\Windows\system32\Meiigppp.exe70⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Mideho32.exeC:\Windows\system32\Mideho32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Mkeapgng.exeC:\Windows\system32\Mkeapgng.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Mcmiqdnj.exeC:\Windows\system32\Mcmiqdnj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Mekfmp32.exeC:\Windows\system32\Mekfmp32.exe74⤵PID:2620
-
C:\Windows\SysWOW64\Mhibik32.exeC:\Windows\system32\Mhibik32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Mocjeedn.exeC:\Windows\system32\Mocjeedn.exe76⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Mnfjab32.exeC:\Windows\system32\Mnfjab32.exe77⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Membbo32.exeC:\Windows\system32\Membbo32.exe78⤵PID:2388
-
C:\Windows\SysWOW64\Mhlonk32.exeC:\Windows\system32\Mhlonk32.exe79⤵PID:1624
-
C:\Windows\SysWOW64\Mofgkebk.exeC:\Windows\system32\Mofgkebk.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Madcgpao.exeC:\Windows\system32\Madcgpao.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Mpgccm32.exeC:\Windows\system32\Mpgccm32.exe82⤵PID:2116
-
C:\Windows\SysWOW64\Mhnkdjhl.exeC:\Windows\system32\Mhnkdjhl.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Mgalpg32.exeC:\Windows\system32\Mgalpg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Mjohlb32.exeC:\Windows\system32\Mjohlb32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Mafpmp32.exeC:\Windows\system32\Mafpmp32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Mdelik32.exeC:\Windows\system32\Mdelik32.exe87⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Mgcheg32.exeC:\Windows\system32\Mgcheg32.exe88⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Nlpamn32.exeC:\Windows\system32\Nlpamn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Ndgiok32.exeC:\Windows\system32\Ndgiok32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Ngeekfka.exeC:\Windows\system32\Ngeekfka.exe91⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Njdagbjd.exeC:\Windows\system32\Njdagbjd.exe92⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Nlbncmih.exeC:\Windows\system32\Nlbncmih.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Noajoihl.exeC:\Windows\system32\Noajoihl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Nclfpg32.exeC:\Windows\system32\Nclfpg32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Nfkblc32.exeC:\Windows\system32\Nfkblc32.exe96⤵PID:1180
-
C:\Windows\SysWOW64\Nhinhn32.exeC:\Windows\system32\Nhinhn32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Nocfdhfi.exeC:\Windows\system32\Nocfdhfi.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Nbacqdem.exeC:\Windows\system32\Nbacqdem.exe99⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Nhlkmnmj.exeC:\Windows\system32\Nhlkmnmj.exe100⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Nmggnm32.exeC:\Windows\system32\Nmggnm32.exe101⤵PID:2512
-
C:\Windows\SysWOW64\Ncaokgmp.exeC:\Windows\system32\Ncaokgmp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Nbdpfc32.exeC:\Windows\system32\Nbdpfc32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Nhnhcnkg.exeC:\Windows\system32\Nhnhcnkg.exe104⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Nmiccl32.exeC:\Windows\system32\Nmiccl32.exe105⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Nnkpkdio.exeC:\Windows\system32\Nnkpkdio.exe106⤵PID:2432
-
C:\Windows\SysWOW64\Ofbhlbja.exeC:\Windows\system32\Ofbhlbja.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Oipdhm32.exeC:\Windows\system32\Oipdhm32.exe108⤵PID:680
-
C:\Windows\SysWOW64\Ogcddjpo.exeC:\Windows\system32\Ogcddjpo.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Oojmegqa.exeC:\Windows\system32\Oojmegqa.exe110⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Obiiacpe.exeC:\Windows\system32\Obiiacpe.exe111⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Oibanm32.exeC:\Windows\system32\Oibanm32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ojdnfemp.exeC:\Windows\system32\Ojdnfemp.exe113⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Obkegbnb.exeC:\Windows\system32\Obkegbnb.exe114⤵PID:2928
-
C:\Windows\SysWOW64\Oeibcnmf.exeC:\Windows\system32\Oeibcnmf.exe115⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Oghnoi32.exeC:\Windows\system32\Oghnoi32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Okcjphdc.exeC:\Windows\system32\Okcjphdc.exe117⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Omdfgq32.exeC:\Windows\system32\Omdfgq32.exe118⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Oqpbhobj.exeC:\Windows\system32\Oqpbhobj.exe119⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ocoodjan.exeC:\Windows\system32\Ocoodjan.exe120⤵PID:1724
-
C:\Windows\SysWOW64\Ondcacad.exeC:\Windows\system32\Ondcacad.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-