Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 01:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe
-
Size
96KB
-
MD5
46e3161ee8ed624fb131ebf50a35c053
-
SHA1
7907135792ad9e607cebff62691bc672ed9d2290
-
SHA256
b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112
-
SHA512
baa64777a0ed75e48eb70d7af67427ee96078f0d38b671bdb80880f2cb7a4bb750b2dab8456784f0232e8c0796ac17540ec783aa8833693757312a4dc4f9ece9
-
SSDEEP
1536:p3eRXt3tYBGlNTW/IqymHKMcg27on23muEq2MKMTPvnnnnaQ79SdgwRu8KoduV9J:puRXt3JlNa/AKOs22uEqdoRuJod69jcs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqjqehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonlkcho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglmefcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maanab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifnhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekehomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbadagln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icbipe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhflcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnfdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbcelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bogljj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjggap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpgfbom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpdjjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qldjdlgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndnpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhbgpia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjnjqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbqkeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khojcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaofgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enmnahnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe -
Executes dropped EXE 64 IoCs
pid Process 2684 Hdefnjkj.exe 2712 Hokjkbkp.exe 2808 Hhcndhap.exe 2720 Hkbkpcpd.exe 2604 Halcmn32.exe 3016 Hqochjnk.exe 2480 Hjggap32.exe 2532 Idmlniea.exe 2092 Igkhjdde.exe 2072 Inepgn32.exe 600 Icbipe32.exe 2204 Ijlaloaf.exe 2268 Iqfiii32.exe 1300 Igpaec32.exe 2192 Iianmlfn.exe 2332 Icfbkded.exe 3056 Iickckcl.exe 1580 Ikagogco.exe 2976 Iblola32.exe 2956 Iifghk32.exe 2980 Joppeeif.exe 1516 Jgkdigfa.exe 1728 Jbphgpfg.exe 2104 Jacibm32.exe 2764 Jjlmkb32.exe 2404 Jbcelp32.exe 2672 Jgpndg32.exe 2576 Jjnjqb32.exe 3008 Jgbjjf32.exe 2200 Jfekec32.exe 1060 Jjpgfbom.exe 1540 Kgdgpfnf.exe 2124 Kamlhl32.exe 1860 Kppldhla.exe 2444 Kihpmnbb.exe 2644 Kmclmm32.exe 2520 Kijmbnpo.exe 2256 Klhioioc.exe 2012 Kngekdnf.exe 1764 Kimjhnnl.exe 2356 Khojcj32.exe 2036 Kbenacdm.exe 940 Kaholp32.exe 1864 Klmbjh32.exe 2952 Lolofd32.exe 1808 Lajkbp32.exe 2316 Ldhgnk32.exe 1760 Llpoohik.exe 2560 Lonlkcho.exe 2608 Lalhgogb.exe 1240 Ldkdckff.exe 2612 Lhfpdi32.exe 2848 Lophacfl.exe 1816 Laodmoep.exe 916 Ldmaijdc.exe 2868 Lglmefcg.exe 1104 Lkgifd32.exe 1496 Laaabo32.exe 2392 Lpdankjg.exe 1160 Lbbnjgik.exe 1044 Lgnjke32.exe 1812 Lkifkdjm.exe 2044 Lmhbgpia.exe 1008 Lpfnckhe.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe 2388 b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe 2684 Hdefnjkj.exe 2684 Hdefnjkj.exe 2712 Hokjkbkp.exe 2712 Hokjkbkp.exe 2808 Hhcndhap.exe 2808 Hhcndhap.exe 2720 Hkbkpcpd.exe 2720 Hkbkpcpd.exe 2604 Halcmn32.exe 2604 Halcmn32.exe 3016 Hqochjnk.exe 3016 Hqochjnk.exe 2480 Hjggap32.exe 2480 Hjggap32.exe 2532 Idmlniea.exe 2532 Idmlniea.exe 2092 Igkhjdde.exe 2092 Igkhjdde.exe 2072 Inepgn32.exe 2072 Inepgn32.exe 600 Icbipe32.exe 600 Icbipe32.exe 2204 Ijlaloaf.exe 2204 Ijlaloaf.exe 2268 Iqfiii32.exe 2268 Iqfiii32.exe 1300 Igpaec32.exe 1300 Igpaec32.exe 2192 Iianmlfn.exe 2192 Iianmlfn.exe 2332 Icfbkded.exe 2332 Icfbkded.exe 3056 Iickckcl.exe 3056 Iickckcl.exe 1580 Ikagogco.exe 1580 Ikagogco.exe 2976 Iblola32.exe 2976 Iblola32.exe 2956 Iifghk32.exe 2956 Iifghk32.exe 2980 Joppeeif.exe 2980 Joppeeif.exe 1516 Jgkdigfa.exe 1516 Jgkdigfa.exe 1728 Jbphgpfg.exe 1728 Jbphgpfg.exe 2104 Jacibm32.exe 2104 Jacibm32.exe 2764 Jjlmkb32.exe 2764 Jjlmkb32.exe 2404 Jbcelp32.exe 2404 Jbcelp32.exe 2672 Jgpndg32.exe 2672 Jgpndg32.exe 2576 Jjnjqb32.exe 2576 Jjnjqb32.exe 3008 Jgbjjf32.exe 3008 Jgbjjf32.exe 2200 Jfekec32.exe 2200 Jfekec32.exe 1060 Jjpgfbom.exe 1060 Jjpgfbom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcbookpp.exe Padccpal.exe File opened for modification C:\Windows\SysWOW64\Amjpgdik.exe Afqhjj32.exe File created C:\Windows\SysWOW64\Bakaaepk.exe Boleejag.exe File opened for modification C:\Windows\SysWOW64\Coladm32.exe Clnehado.exe File created C:\Windows\SysWOW64\Dklepmal.exe Dgqion32.exe File created C:\Windows\SysWOW64\Mlglpa32.dll Mehpga32.exe File created C:\Windows\SysWOW64\Egfdjljo.dll Ammmlcgi.exe File opened for modification C:\Windows\SysWOW64\Chggdoee.exe Cdkkcp32.exe File opened for modification C:\Windows\SysWOW64\Cglcek32.exe Ccqhdmbc.exe File created C:\Windows\SysWOW64\Malbbh32.dll Dglpdomh.exe File created C:\Windows\SysWOW64\Ijlaloaf.exe Icbipe32.exe File opened for modification C:\Windows\SysWOW64\Jbcelp32.exe Jjlmkb32.exe File created C:\Windows\SysWOW64\Jqoljf32.dll Oknhdjko.exe File created C:\Windows\SysWOW64\Lglmefcg.exe Ldmaijdc.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Cnabffeo.exe File opened for modification C:\Windows\SysWOW64\Kngekdnf.exe Klhioioc.exe File created C:\Windows\SysWOW64\Klalgq32.dll Ldhgnk32.exe File opened for modification C:\Windows\SysWOW64\Ngpcohbm.exe Ndafcmci.exe File created C:\Windows\SysWOW64\Dnjalhpp.exe Dklepmal.exe File created C:\Windows\SysWOW64\Almpdj32.dll Eiilge32.exe File opened for modification C:\Windows\SysWOW64\Igkhjdde.exe Idmlniea.exe File created C:\Windows\SysWOW64\Nhocol32.dll Jbphgpfg.exe File created C:\Windows\SysWOW64\Jfekec32.exe Jgbjjf32.exe File created C:\Windows\SysWOW64\Dhgccbhp.exe Dfhgggim.exe File created C:\Windows\SysWOW64\Amefhjna.dll Ppkmjlca.exe File created C:\Windows\SysWOW64\Eknjoj32.dll Bbchkime.exe File created C:\Windows\SysWOW64\Lcfejhma.dll Kbenacdm.exe File opened for modification C:\Windows\SysWOW64\Pflbpg32.exe Pcnfdl32.exe File created C:\Windows\SysWOW64\Qifnhaho.exe Qaofgc32.exe File created C:\Windows\SysWOW64\Idmlniea.exe Hjggap32.exe File created C:\Windows\SysWOW64\Icbipe32.exe Inepgn32.exe File opened for modification C:\Windows\SysWOW64\Jgbjjf32.exe Jjnjqb32.exe File opened for modification C:\Windows\SysWOW64\Qdpohodn.exe Qemomb32.exe File opened for modification C:\Windows\SysWOW64\Dnckki32.exe Doqkpl32.exe File opened for modification C:\Windows\SysWOW64\Ekghcq32.exe Emdhhdqb.exe File opened for modification C:\Windows\SysWOW64\Fedfgejh.exe Faijggao.exe File created C:\Windows\SysWOW64\Addhcn32.exe Aaflgb32.exe File created C:\Windows\SysWOW64\Fpgnoo32.exe Einebddd.exe File created C:\Windows\SysWOW64\Jjnjqb32.exe Jgpndg32.exe File created C:\Windows\SysWOW64\Onamle32.exe Okbapi32.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Afqhjj32.exe File created C:\Windows\SysWOW64\Cabcdq32.dll Bogljj32.exe File opened for modification C:\Windows\SysWOW64\Dfhgggim.exe Dcjjkkji.exe File created C:\Windows\SysWOW64\Mbpmdgef.dll Aifjgdkj.exe File created C:\Windows\SysWOW64\Ncnjeh32.exe Nldahn32.exe File created C:\Windows\SysWOW64\Afqhjj32.exe Ahngomkd.exe File created C:\Windows\SysWOW64\Cccdjl32.exe Cdpdnpif.exe File created C:\Windows\SysWOW64\Djmiejji.exe Dhklna32.exe File created C:\Windows\SysWOW64\Mlmoilni.exe Miocmq32.exe File created C:\Windows\SysWOW64\Blgcio32.exe Bihgmdih.exe File created C:\Windows\SysWOW64\Bhndnpnp.exe Beogaenl.exe File created C:\Windows\SysWOW64\Ibmkap32.dll Ldmaijdc.exe File created C:\Windows\SysWOW64\Aaflgb32.exe Amjpgdik.exe File created C:\Windows\SysWOW64\Blniinac.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Aaknah32.dll Hqochjnk.exe File created C:\Windows\SysWOW64\Ifijkq32.dll Ohmoco32.exe File created C:\Windows\SysWOW64\Nplkbo32.dll Pflbpg32.exe File created C:\Windows\SysWOW64\Ipodji32.dll Bedamd32.exe File created C:\Windows\SysWOW64\Jhgnoe32.dll Njnokdaq.exe File opened for modification C:\Windows\SysWOW64\Hqochjnk.exe Halcmn32.exe File created C:\Windows\SysWOW64\Afgdde32.dll Jbcelp32.exe File created C:\Windows\SysWOW64\Llpoohik.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Bblfonpc.dll Moenkf32.exe File created C:\Windows\SysWOW64\Khdlbn32.dll Albjnplq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3692 3524 WerFault.exe 311 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjpgdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfekec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcohbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clilmbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfbkded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpniokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajkbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einebddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojipjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldjdlgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkihofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafhff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbkhabp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aankboko.dll" Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnqjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpbkhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgdde32.dll" Jbcelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bklpjlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplkbo32.dll" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofapq32.dll" Elieipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndafcmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oknhdjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afqhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkiio32.dll" Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boeoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjjpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenfifcn.dll" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkajpb.dll" Kaholp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfokdde.dll" Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obecld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcpccaf.dll" Qemomb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befaceaa.dll" Iifghk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpmmabh.dll" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqochjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjnjqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll" Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnlpkh32.dll" Jgpndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojkndbh.dll" b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmmpgoa.dll" Jgkdigfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obecld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnphfdp.dll" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll" Faijggao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kimjhnnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknida32.dll" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgihifq.dll" Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfoacnc.dll" Pbglpg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2684 2388 b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe 30 PID 2388 wrote to memory of 2684 2388 b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe 30 PID 2388 wrote to memory of 2684 2388 b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe 30 PID 2388 wrote to memory of 2684 2388 b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe 30 PID 2684 wrote to memory of 2712 2684 Hdefnjkj.exe 31 PID 2684 wrote to memory of 2712 2684 Hdefnjkj.exe 31 PID 2684 wrote to memory of 2712 2684 Hdefnjkj.exe 31 PID 2684 wrote to memory of 2712 2684 Hdefnjkj.exe 31 PID 2712 wrote to memory of 2808 2712 Hokjkbkp.exe 32 PID 2712 wrote to memory of 2808 2712 Hokjkbkp.exe 32 PID 2712 wrote to memory of 2808 2712 Hokjkbkp.exe 32 PID 2712 wrote to memory of 2808 2712 Hokjkbkp.exe 32 PID 2808 wrote to memory of 2720 2808 Hhcndhap.exe 33 PID 2808 wrote to memory of 2720 2808 Hhcndhap.exe 33 PID 2808 wrote to memory of 2720 2808 Hhcndhap.exe 33 PID 2808 wrote to memory of 2720 2808 Hhcndhap.exe 33 PID 2720 wrote to memory of 2604 2720 Hkbkpcpd.exe 34 PID 2720 wrote to memory of 2604 2720 Hkbkpcpd.exe 34 PID 2720 wrote to memory of 2604 2720 Hkbkpcpd.exe 34 PID 2720 wrote to memory of 2604 2720 Hkbkpcpd.exe 34 PID 2604 wrote to memory of 3016 2604 Halcmn32.exe 35 PID 2604 wrote to memory of 3016 2604 Halcmn32.exe 35 PID 2604 wrote to memory of 3016 2604 Halcmn32.exe 35 PID 2604 wrote to memory of 3016 2604 Halcmn32.exe 35 PID 3016 wrote to memory of 2480 3016 Hqochjnk.exe 36 PID 3016 wrote to memory of 2480 3016 Hqochjnk.exe 36 PID 3016 wrote to memory of 2480 3016 Hqochjnk.exe 36 PID 3016 wrote to memory of 2480 3016 Hqochjnk.exe 36 PID 2480 wrote to memory of 2532 2480 Hjggap32.exe 37 PID 2480 wrote to memory of 2532 2480 Hjggap32.exe 37 PID 2480 wrote to memory of 2532 2480 Hjggap32.exe 37 PID 2480 wrote to memory of 2532 2480 Hjggap32.exe 37 PID 2532 wrote to memory of 2092 2532 Idmlniea.exe 38 PID 2532 wrote to memory of 2092 2532 Idmlniea.exe 38 PID 2532 wrote to memory of 2092 2532 Idmlniea.exe 38 PID 2532 wrote to memory of 2092 2532 Idmlniea.exe 38 PID 2092 wrote to memory of 2072 2092 Igkhjdde.exe 39 PID 2092 wrote to memory of 2072 2092 Igkhjdde.exe 39 PID 2092 wrote to memory of 2072 2092 Igkhjdde.exe 39 PID 2092 wrote to memory of 2072 2092 Igkhjdde.exe 39 PID 2072 wrote to memory of 600 2072 Inepgn32.exe 40 PID 2072 wrote to memory of 600 2072 Inepgn32.exe 40 PID 2072 wrote to memory of 600 2072 Inepgn32.exe 40 PID 2072 wrote to memory of 600 2072 Inepgn32.exe 40 PID 600 wrote to memory of 2204 600 Icbipe32.exe 41 PID 600 wrote to memory of 2204 600 Icbipe32.exe 41 PID 600 wrote to memory of 2204 600 Icbipe32.exe 41 PID 600 wrote to memory of 2204 600 Icbipe32.exe 41 PID 2204 wrote to memory of 2268 2204 Ijlaloaf.exe 42 PID 2204 wrote to memory of 2268 2204 Ijlaloaf.exe 42 PID 2204 wrote to memory of 2268 2204 Ijlaloaf.exe 42 PID 2204 wrote to memory of 2268 2204 Ijlaloaf.exe 42 PID 2268 wrote to memory of 1300 2268 Iqfiii32.exe 43 PID 2268 wrote to memory of 1300 2268 Iqfiii32.exe 43 PID 2268 wrote to memory of 1300 2268 Iqfiii32.exe 43 PID 2268 wrote to memory of 1300 2268 Iqfiii32.exe 43 PID 1300 wrote to memory of 2192 1300 Igpaec32.exe 44 PID 1300 wrote to memory of 2192 1300 Igpaec32.exe 44 PID 1300 wrote to memory of 2192 1300 Igpaec32.exe 44 PID 1300 wrote to memory of 2192 1300 Igpaec32.exe 44 PID 2192 wrote to memory of 2332 2192 Iianmlfn.exe 45 PID 2192 wrote to memory of 2332 2192 Iianmlfn.exe 45 PID 2192 wrote to memory of 2332 2192 Iianmlfn.exe 45 PID 2192 wrote to memory of 2332 2192 Iianmlfn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe"C:\Users\Admin\AppData\Local\Temp\b6575d7131d18d98dc447cc5164730067a044c20ab2f875963a0f01fe4259112.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe33⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe37⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe40⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe46⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe51⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe52⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe54⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe55⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe58⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe59⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe60⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe62⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe66⤵PID:1868
-
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe69⤵PID:2588
-
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe70⤵PID:2632
-
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe71⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe72⤵PID:1168
-
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe73⤵PID:2160
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe74⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe76⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe77⤵PID:852
-
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe78⤵PID:896
-
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe79⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe80⤵PID:2452
-
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe81⤵PID:888
-
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe85⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe86⤵PID:308
-
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe88⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe89⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe90⤵PID:756
-
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe92⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe93⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe94⤵PID:2288
-
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe95⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe98⤵PID:2836
-
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe99⤵PID:2856
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe102⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe103⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe104⤵PID:2364
-
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe106⤵PID:1380
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe107⤵PID:1876
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe108⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe110⤵PID:3004
-
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe111⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe112⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe113⤵
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe114⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe115⤵PID:692
-
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe117⤵PID:1620
-
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe119⤵PID:800
-
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe121⤵PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-