Analysis
-
max time kernel
111s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 09:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dedec1cfa74bce168000b995e0075800N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
dedec1cfa74bce168000b995e0075800N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
dedec1cfa74bce168000b995e0075800N.exe
-
Size
481KB
-
MD5
dedec1cfa74bce168000b995e0075800
-
SHA1
fe62708e0575fd952bfe772acca3efc6ba12865d
-
SHA256
0ac7f86689e393285ad074cc18d33e174fd61f3f0a2d460ea22ca2f4a5593dec
-
SHA512
25fabd1470ba5b484fe5f0e5bb575d14778e9be0c4346739fbddb83b6a16898070c6775348924a2f81da49e1b9e8aa89723dd39fe3b67badc6805262924ca2fe
-
SSDEEP
6144:phw0pqB4BOzQFM6234lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:3pqqBOUFB24lwR45FB24l4++dBQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fohphgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaddid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efhenccl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlecmkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjcko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocihgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhelghol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idemkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdgefn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naionh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmgcepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakecld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhehfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqgbah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpcdqpqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjbihpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdcdfmqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Magfjebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdehpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liekddkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipcnieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knpkhhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdnjaibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dchpnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nogmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nebnigmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaikfkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Capmemci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbcfbege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Malpee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad dedec1cfa74bce168000b995e0075800N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfjihdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfbinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbplciof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjnanhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibmkbh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2104 Nkjdcp32.exe 2796 Ngqeha32.exe 2580 Nogmin32.exe 2876 Nickoldp.exe 2572 Nldcagaq.exe 328 Ohkdfhge.exe 2920 Oikapk32.exe 1268 Oeaael32.exe 604 Olkjaflh.exe 2996 Okcchbnn.exe 2672 Pqplqile.exe 840 Pfoanp32.exe 2408 Pmiikipg.exe 1216 Pccahc32.exe 1492 Pjmjdnop.exe 696 Pqgbah32.exe 2500 Pbhoip32.exe 1744 Pibgfjdh.exe 1276 Polobd32.exe 992 Pffgonbb.exe 2504 Qidckjae.exe 976 Qonlhd32.exe 864 Qfhddn32.exe 1880 Qgiplffm.exe 2220 Aaikfkgf.exe 2812 Afecna32.exe 2772 Amplklmj.exe 2392 Ajcldpkd.exe 2600 Bppdlgjk.exe 2648 Bclqme32.exe 2816 Bmdefk32.exe 2040 Bpbabf32.exe 2344 Bfmjoqoe.exe 2348 Bnhncclq.exe 2988 Bafkookd.exe 2884 Bdgcaj32.exe 1200 Bjalndpb.exe 1296 Bhelghol.exe 2764 Ckchcc32.exe 1552 Cdlmlidp.exe 1812 Cfjihdcc.exe 2200 Capmemci.exe 2440 Cdnjaibm.exe 1644 Ckhbnb32.exe 1608 Cmfnjnin.exe 2004 Cbcfbege.exe 2356 Ceacoqfi.exe 1696 Cmikpngk.exe 2840 Cojghf32.exe 2780 Cipleo32.exe 2712 Cpidai32.exe 2396 Dchpnd32.exe 1952 Dibhjokm.exe 2888 Dhehfk32.exe 2956 Dooqceid.exe 2612 Dhgelk32.exe 2252 Dlbaljhn.exe 2320 Dekeeonn.exe 1484 Dglbmg32.exe 1764 Dkhnmfle.exe 1036 Dpdfemkm.exe 1680 Dgoobg32.exe 1212 Djmknb32.exe 900 Dnhgoa32.exe -
Loads dropped DLL 64 IoCs
pid Process 1956 dedec1cfa74bce168000b995e0075800N.exe 1956 dedec1cfa74bce168000b995e0075800N.exe 2104 Nkjdcp32.exe 2104 Nkjdcp32.exe 2796 Ngqeha32.exe 2796 Ngqeha32.exe 2580 Nogmin32.exe 2580 Nogmin32.exe 2876 Nickoldp.exe 2876 Nickoldp.exe 2572 Nldcagaq.exe 2572 Nldcagaq.exe 328 Ohkdfhge.exe 328 Ohkdfhge.exe 2920 Oikapk32.exe 2920 Oikapk32.exe 1268 Oeaael32.exe 1268 Oeaael32.exe 604 Olkjaflh.exe 604 Olkjaflh.exe 2996 Okcchbnn.exe 2996 Okcchbnn.exe 2672 Pqplqile.exe 2672 Pqplqile.exe 840 Pfoanp32.exe 840 Pfoanp32.exe 2408 Pmiikipg.exe 2408 Pmiikipg.exe 1216 Pccahc32.exe 1216 Pccahc32.exe 1492 Pjmjdnop.exe 1492 Pjmjdnop.exe 696 Pqgbah32.exe 696 Pqgbah32.exe 2500 Pbhoip32.exe 2500 Pbhoip32.exe 1744 Pibgfjdh.exe 1744 Pibgfjdh.exe 1276 Polobd32.exe 1276 Polobd32.exe 992 Pffgonbb.exe 992 Pffgonbb.exe 2504 Qidckjae.exe 2504 Qidckjae.exe 976 Qonlhd32.exe 976 Qonlhd32.exe 864 Qfhddn32.exe 864 Qfhddn32.exe 1880 Qgiplffm.exe 1880 Qgiplffm.exe 2220 Aaikfkgf.exe 2220 Aaikfkgf.exe 2812 Afecna32.exe 2812 Afecna32.exe 2772 Amplklmj.exe 2772 Amplklmj.exe 2392 Ajcldpkd.exe 2392 Ajcldpkd.exe 2600 Bppdlgjk.exe 2600 Bppdlgjk.exe 2648 Bclqme32.exe 2648 Bclqme32.exe 2816 Bmdefk32.exe 2816 Bmdefk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gcchgini.exe Gmipko32.exe File opened for modification C:\Windows\SysWOW64\Kbkgig32.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Polobd32.exe Pibgfjdh.exe File created C:\Windows\SysWOW64\Pbcdpd32.dll Hpghfn32.exe File created C:\Windows\SysWOW64\Nhakecld.exe Nebnigmp.exe File created C:\Windows\SysWOW64\Olkjaflh.exe Oeaael32.exe File opened for modification C:\Windows\SysWOW64\Ckchcc32.exe Bhelghol.exe File opened for modification C:\Windows\SysWOW64\Cdlmlidp.exe Ckchcc32.exe File opened for modification C:\Windows\SysWOW64\Ihlpqonl.exe Iencdc32.exe File opened for modification C:\Windows\SysWOW64\Kcamln32.exe Kqcqpc32.exe File opened for modification C:\Windows\SysWOW64\Mjgqcj32.exe Mbpibm32.exe File created C:\Windows\SysWOW64\Nkjdcp32.exe dedec1cfa74bce168000b995e0075800N.exe File created C:\Windows\SysWOW64\Pccahc32.exe Pmiikipg.exe File created C:\Windows\SysWOW64\Efmoib32.exe Eocfmh32.exe File created C:\Windows\SysWOW64\Jallbb32.dll Fnmmidhm.exe File created C:\Windows\SysWOW64\Jnlnid32.dll Kdqifajl.exe File created C:\Windows\SysWOW64\Ifbpdhee.dll Majcoepi.exe File created C:\Windows\SysWOW64\Fjaqhe32.exe Fipdqmje.exe File created C:\Windows\SysWOW64\Lqnkhh32.dll Kkfhglen.exe File opened for modification C:\Windows\SysWOW64\Kmjaddii.exe Kcamln32.exe File created C:\Windows\SysWOW64\Kbbedq32.dll Pjmjdnop.exe File created C:\Windows\SysWOW64\Bcaafadj.dll Qonlhd32.exe File created C:\Windows\SysWOW64\Bpbabf32.exe Bmdefk32.exe File created C:\Windows\SysWOW64\Eajcmh32.dll Cdnjaibm.exe File opened for modification C:\Windows\SysWOW64\Koogbk32.exe Kheofahm.exe File created C:\Windows\SysWOW64\Dogbkiop.dll Ogbgbn32.exe File opened for modification C:\Windows\SysWOW64\Olalpdbc.exe Oibpdico.exe File opened for modification C:\Windows\SysWOW64\Capmemci.exe Cfjihdcc.exe File created C:\Windows\SysWOW64\Efhenccl.exe Eoomai32.exe File created C:\Windows\SysWOW64\Jcejbh32.dll Fjaqhe32.exe File created C:\Windows\SysWOW64\Hdeall32.exe Hmkiobge.exe File created C:\Windows\SysWOW64\Edpbkipf.dll Iockhigl.exe File opened for modification C:\Windows\SysWOW64\Oipcnieb.exe Ogbgbn32.exe File created C:\Windows\SysWOW64\Mlhmkbhb.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Bppdlgjk.exe Ajcldpkd.exe File created C:\Windows\SysWOW64\Jjmdaidg.dll Bpbabf32.exe File created C:\Windows\SysWOW64\Bafkookd.exe Bnhncclq.exe File created C:\Windows\SysWOW64\Fkjldmnf.dll Cojghf32.exe File opened for modification C:\Windows\SysWOW64\Gnabcf32.exe Geinjapb.exe File opened for modification C:\Windows\SysWOW64\Mbpibm32.exe Manljd32.exe File created C:\Windows\SysWOW64\Lchclmla.exe Lfdbcing.exe File opened for modification C:\Windows\SysWOW64\Mchokq32.exe Majcoepi.exe File opened for modification C:\Windows\SysWOW64\Dpdfemkm.exe Dkhnmfle.exe File created C:\Windows\SysWOW64\Facahjoh.dll Fmgcepio.exe File created C:\Windows\SysWOW64\Hdqhambg.exe Habkeacd.exe File opened for modification C:\Windows\SysWOW64\Innbde32.exe Igcjgk32.exe File opened for modification C:\Windows\SysWOW64\Jpqgkpcl.exe Jjgonf32.exe File created C:\Windows\SysWOW64\Lbgkic32.dll Kcamln32.exe File created C:\Windows\SysWOW64\Omefae32.dll Mbpibm32.exe File created C:\Windows\SysWOW64\Odpbmoop.dll Bppdlgjk.exe File created C:\Windows\SysWOW64\Kgdiff32.dll Dnhgoa32.exe File created C:\Windows\SysWOW64\Inlmnebq.dll Geinjapb.exe File created C:\Windows\SysWOW64\Gocalqhm.dll Jpnkep32.exe File created C:\Windows\SysWOW64\Boghbgla.dll Niqgof32.exe File opened for modification C:\Windows\SysWOW64\Odoakckp.exe Oaqeogll.exe File created C:\Windows\SysWOW64\Almdcg32.dll Djmknb32.exe File created C:\Windows\SysWOW64\Hplbamdf.exe Hmneebeb.exe File created C:\Windows\SysWOW64\Iekgod32.exe Ibmkbh32.exe File opened for modification C:\Windows\SysWOW64\Kqqdjceh.exe Koogbk32.exe File created C:\Windows\SysWOW64\Nebnigmp.exe Noifmmec.exe File created C:\Windows\SysWOW64\Lkdjamga.dll Oibpdico.exe File opened for modification C:\Windows\SysWOW64\Qonlhd32.exe Qidckjae.exe File created C:\Windows\SysWOW64\Cipleo32.exe Cojghf32.exe File opened for modification C:\Windows\SysWOW64\Effhic32.exe Echlmh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3372 3332 WerFault.exe 257 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbfaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iockhigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoomai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmneebeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkcod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geinjapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idemkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmmcgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjkmijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgqcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepach32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipdqmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghngimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbamdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnmfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidfjckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iencdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjdcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loocanbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchclmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgonbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkiobge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaqmkpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekkpqnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheofahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckchcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaddid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdefk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlmlidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldcagaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhagiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkdfhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmmidhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaael32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bppdlgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqagbp32.dll" Hbhagiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaibff32.dll" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbhoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajcldpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okkfmmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oibpdico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnklgh32.dll" Pqplqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qidckjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amplklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghhnb.dll" Eoecbheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogbgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madfkk32.dll" Ekhjlioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iekgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkifkh32.dll" Igcjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfkkmab.dll" Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjipeebb.dll" Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll" Nkjdcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhncclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmjje32.dll" Cmikpngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gekkpqnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmabenf.dll" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocalqhm.dll" Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmcpn32.dll" Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnabcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmneebeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlfii32.dll" Kmjaddii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgjkmijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmlljbm.dll" Jgkphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mchokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbcbcgp.dll" Nbilhkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdjamga.dll" Oibpdico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgbae32.dll" Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefjaj32.dll" Bdgcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfjihdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjdnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gplebjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjnanhhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlckjo32.dll" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoibpnb.dll" Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecidcb.dll" Dpdfemkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpcdqpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfbinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fohphgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjdohaf.dll" Fipdqmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encbem32.dll" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koqdolib.dll" dedec1cfa74bce168000b995e0075800N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll" Nldcagaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nldcagaq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2104 1956 dedec1cfa74bce168000b995e0075800N.exe 30 PID 1956 wrote to memory of 2104 1956 dedec1cfa74bce168000b995e0075800N.exe 30 PID 1956 wrote to memory of 2104 1956 dedec1cfa74bce168000b995e0075800N.exe 30 PID 1956 wrote to memory of 2104 1956 dedec1cfa74bce168000b995e0075800N.exe 30 PID 2104 wrote to memory of 2796 2104 Nkjdcp32.exe 31 PID 2104 wrote to memory of 2796 2104 Nkjdcp32.exe 31 PID 2104 wrote to memory of 2796 2104 Nkjdcp32.exe 31 PID 2104 wrote to memory of 2796 2104 Nkjdcp32.exe 31 PID 2796 wrote to memory of 2580 2796 Ngqeha32.exe 32 PID 2796 wrote to memory of 2580 2796 Ngqeha32.exe 32 PID 2796 wrote to memory of 2580 2796 Ngqeha32.exe 32 PID 2796 wrote to memory of 2580 2796 Ngqeha32.exe 32 PID 2580 wrote to memory of 2876 2580 Nogmin32.exe 33 PID 2580 wrote to memory of 2876 2580 Nogmin32.exe 33 PID 2580 wrote to memory of 2876 2580 Nogmin32.exe 33 PID 2580 wrote to memory of 2876 2580 Nogmin32.exe 33 PID 2876 wrote to memory of 2572 2876 Nickoldp.exe 34 PID 2876 wrote to memory of 2572 2876 Nickoldp.exe 34 PID 2876 wrote to memory of 2572 2876 Nickoldp.exe 34 PID 2876 wrote to memory of 2572 2876 Nickoldp.exe 34 PID 2572 wrote to memory of 328 2572 Nldcagaq.exe 35 PID 2572 wrote to memory of 328 2572 Nldcagaq.exe 35 PID 2572 wrote to memory of 328 2572 Nldcagaq.exe 35 PID 2572 wrote to memory of 328 2572 Nldcagaq.exe 35 PID 328 wrote to memory of 2920 328 Ohkdfhge.exe 36 PID 328 wrote to memory of 2920 328 Ohkdfhge.exe 36 PID 328 wrote to memory of 2920 328 Ohkdfhge.exe 36 PID 328 wrote to memory of 2920 328 Ohkdfhge.exe 36 PID 2920 wrote to memory of 1268 2920 Oikapk32.exe 37 PID 2920 wrote to memory of 1268 2920 Oikapk32.exe 37 PID 2920 wrote to memory of 1268 2920 Oikapk32.exe 37 PID 2920 wrote to memory of 1268 2920 Oikapk32.exe 37 PID 1268 wrote to memory of 604 1268 Oeaael32.exe 38 PID 1268 wrote to memory of 604 1268 Oeaael32.exe 38 PID 1268 wrote to memory of 604 1268 Oeaael32.exe 38 PID 1268 wrote to memory of 604 1268 Oeaael32.exe 38 PID 604 wrote to memory of 2996 604 Olkjaflh.exe 39 PID 604 wrote to memory of 2996 604 Olkjaflh.exe 39 PID 604 wrote to memory of 2996 604 Olkjaflh.exe 39 PID 604 wrote to memory of 2996 604 Olkjaflh.exe 39 PID 2996 wrote to memory of 2672 2996 Okcchbnn.exe 40 PID 2996 wrote to memory of 2672 2996 Okcchbnn.exe 40 PID 2996 wrote to memory of 2672 2996 Okcchbnn.exe 40 PID 2996 wrote to memory of 2672 2996 Okcchbnn.exe 40 PID 2672 wrote to memory of 840 2672 Pqplqile.exe 41 PID 2672 wrote to memory of 840 2672 Pqplqile.exe 41 PID 2672 wrote to memory of 840 2672 Pqplqile.exe 41 PID 2672 wrote to memory of 840 2672 Pqplqile.exe 41 PID 840 wrote to memory of 2408 840 Pfoanp32.exe 42 PID 840 wrote to memory of 2408 840 Pfoanp32.exe 42 PID 840 wrote to memory of 2408 840 Pfoanp32.exe 42 PID 840 wrote to memory of 2408 840 Pfoanp32.exe 42 PID 2408 wrote to memory of 1216 2408 Pmiikipg.exe 43 PID 2408 wrote to memory of 1216 2408 Pmiikipg.exe 43 PID 2408 wrote to memory of 1216 2408 Pmiikipg.exe 43 PID 2408 wrote to memory of 1216 2408 Pmiikipg.exe 43 PID 1216 wrote to memory of 1492 1216 Pccahc32.exe 44 PID 1216 wrote to memory of 1492 1216 Pccahc32.exe 44 PID 1216 wrote to memory of 1492 1216 Pccahc32.exe 44 PID 1216 wrote to memory of 1492 1216 Pccahc32.exe 44 PID 1492 wrote to memory of 696 1492 Pjmjdnop.exe 45 PID 1492 wrote to memory of 696 1492 Pjmjdnop.exe 45 PID 1492 wrote to memory of 696 1492 Pjmjdnop.exe 45 PID 1492 wrote to memory of 696 1492 Pjmjdnop.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dedec1cfa74bce168000b995e0075800N.exe"C:\Users\Admin\AppData\Local\Temp\dedec1cfa74bce168000b995e0075800N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Oikapk32.exeC:\Windows\system32\Oikapk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Pjmjdnop.exeC:\Windows\system32\Pjmjdnop.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Qidckjae.exeC:\Windows\system32\Qidckjae.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Qfhddn32.exeC:\Windows\system32\Qfhddn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Aaikfkgf.exeC:\Windows\system32\Aaikfkgf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bppdlgjk.exeC:\Windows\system32\Bppdlgjk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Bmdefk32.exeC:\Windows\system32\Bmdefk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Bpbabf32.exeC:\Windows\system32\Bpbabf32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe34⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe38⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Bhelghol.exeC:\Windows\system32\Bhelghol.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Capmemci.exeC:\Windows\system32\Capmemci.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe46⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe48⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe54⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe56⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe57⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe58⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe59⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Dnhgoa32.exeC:\Windows\system32\Dnhgoa32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe67⤵PID:2044
-
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe69⤵PID:2824
-
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe70⤵PID:2248
-
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Ejdaoa32.exeC:\Windows\system32\Ejdaoa32.exe73⤵PID:2972
-
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe77⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe78⤵PID:1860
-
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Eoecbheg.exeC:\Windows\system32\Eoecbheg.exe80⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Fkldgi32.exeC:\Windows\system32\Fkldgi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe86⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe89⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe90⤵PID:2412
-
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe91⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe93⤵PID:1960
-
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe94⤵PID:1620
-
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe98⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe99⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe102⤵PID:2660
-
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe103⤵PID:2940
-
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe104⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe105⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe106⤵PID:272
-
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe107⤵PID:2452
-
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe109⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe110⤵PID:2012
-
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe113⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe114⤵PID:2080
-
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe115⤵PID:2756
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe116⤵PID:632
-
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe117⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-