Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 19:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bab2a424e4ebcb621b8fe6f3b933d270N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
bab2a424e4ebcb621b8fe6f3b933d270N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
bab2a424e4ebcb621b8fe6f3b933d270N.exe
-
Size
60KB
-
MD5
bab2a424e4ebcb621b8fe6f3b933d270
-
SHA1
cef7f51adda1b4e70e7b5b6417cba7dc501a894c
-
SHA256
d08a2ba952cc5870ae625c9d6fa0418cfeaf4058b2be438eace30f42cec32fcf
-
SHA512
e7e7155a1064d21f2436d553aa953bfb1340245755d00e2f39852e059d568cd8a93efe02af3d15c2b71986c292790a003738d8c0118edb63219e37ba4c52183f
-
SSDEEP
1536:DSAcDR9vT1bygpdjwsYPtlnBiVpB86l1rs:7UUgp1OQVpB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooghg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdkajic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnmjokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobgah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ianambhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnmjokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfcaegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kleeqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpiqel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojeka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmeffp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbanlfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffokan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbibjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjiiim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcoei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jobnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nliqoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjqlbdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgffpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbcah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmfoodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fianpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbadcdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnflmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjhjndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajelmiag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfqclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljnmkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calgoken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigmeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idojon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdpblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfemdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhhphmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobfgcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdlidjm.exe -
Executes dropped EXE 64 IoCs
pid Process 972 Nbmcjc32.exe 2880 Oiglfm32.exe 2852 Ofklpa32.exe 2812 Ofmiea32.exe 2648 Onhnjclg.exe 2240 Oinbglkm.exe 1728 Odgchjhl.exe 2072 Pfhlie32.exe 2996 Pjfdpckc.exe 1332 Pbaide32.exe 2476 Pljnmkoo.exe 324 Pojgnf32.exe 2252 Qomcdf32.exe 2164 Akfaof32.exe 2484 Ahjahk32.exe 2608 Agonig32.exe 1928 Apgcbmha.exe 1012 Adekhkng.exe 2432 Ajbdpblo.exe 912 Blcmbmip.exe 1624 Bapejd32.exe 1256 Bfnnpbnn.exe 1960 Blgfml32.exe 2600 Bgagnjbi.exe 2872 Cjbpoeoj.exe 1596 Ccjehkek.exe 2296 Cjdmee32.exe 2760 Cmeffp32.exe 2636 Cqcomn32.exe 2288 Cincaq32.exe 2940 Cbfhjfdk.exe 1888 Dkolblkk.exe 2508 Degqka32.exe 2948 Dghjmlnm.exe 3012 Dcojbm32.exe 3040 Dfpcdh32.exe 2900 Eaegaaah.exe 932 Ehopnk32.exe 2184 Edfqclni.exe 1480 Effidg32.exe 2188 Eoanij32.exe 2580 Fofhdidp.exe 1384 Feeilbhg.exe 2040 Fhfbmn32.exe 1996 Fmbkfd32.exe 1688 Gdmcbojl.exe 1948 Gpccgppq.exe 2192 Gngdadoj.exe 2964 Gpfpmonn.exe 2416 Ghaeaaki.exe 1592 Gokmnlcf.exe 2352 Geeekf32.exe 2672 Glongpao.exe 2640 Gheola32.exe 2756 Hnbgdh32.exe 888 Hgkknm32.exe 2500 Hnecjgch.exe 2920 Hgmhcm32.exe 1984 Hngppgae.exe 3032 Hcdihn32.exe 1912 Hqhiab32.exe 2456 Hgbanlfc.exe 2516 Hjpnjheg.exe 2584 Hmojfcdk.exe -
Loads dropped DLL 64 IoCs
pid Process 1272 bab2a424e4ebcb621b8fe6f3b933d270N.exe 1272 bab2a424e4ebcb621b8fe6f3b933d270N.exe 972 Nbmcjc32.exe 972 Nbmcjc32.exe 2880 Oiglfm32.exe 2880 Oiglfm32.exe 2852 Ofklpa32.exe 2852 Ofklpa32.exe 2812 Ofmiea32.exe 2812 Ofmiea32.exe 2648 Onhnjclg.exe 2648 Onhnjclg.exe 2240 Oinbglkm.exe 2240 Oinbglkm.exe 1728 Odgchjhl.exe 1728 Odgchjhl.exe 2072 Pfhlie32.exe 2072 Pfhlie32.exe 2996 Pjfdpckc.exe 2996 Pjfdpckc.exe 1332 Pbaide32.exe 1332 Pbaide32.exe 2476 Pljnmkoo.exe 2476 Pljnmkoo.exe 324 Pojgnf32.exe 324 Pojgnf32.exe 2252 Qomcdf32.exe 2252 Qomcdf32.exe 2164 Akfaof32.exe 2164 Akfaof32.exe 2484 Ahjahk32.exe 2484 Ahjahk32.exe 2608 Agonig32.exe 2608 Agonig32.exe 1928 Apgcbmha.exe 1928 Apgcbmha.exe 1012 Adekhkng.exe 1012 Adekhkng.exe 2432 Ajbdpblo.exe 2432 Ajbdpblo.exe 912 Blcmbmip.exe 912 Blcmbmip.exe 1624 Bapejd32.exe 1624 Bapejd32.exe 1256 Bfnnpbnn.exe 1256 Bfnnpbnn.exe 1960 Blgfml32.exe 1960 Blgfml32.exe 2600 Bgagnjbi.exe 2600 Bgagnjbi.exe 2872 Cjbpoeoj.exe 2872 Cjbpoeoj.exe 1596 Ccjehkek.exe 1596 Ccjehkek.exe 2296 Cjdmee32.exe 2296 Cjdmee32.exe 2760 Cmeffp32.exe 2760 Cmeffp32.exe 2636 Cqcomn32.exe 2636 Cqcomn32.exe 2288 Cincaq32.exe 2288 Cincaq32.exe 2940 Cbfhjfdk.exe 2940 Cbfhjfdk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Andlmnki.exe Adohpe32.exe File created C:\Windows\SysWOW64\Gmcmomjc.exe Fdkheh32.exe File created C:\Windows\SysWOW64\Infnmf32.dll Fpgpjdnf.exe File opened for modification C:\Windows\SysWOW64\Bgagnjbi.exe Blgfml32.exe File created C:\Windows\SysWOW64\Cfjgopop.exe Ckebbgoj.exe File created C:\Windows\SysWOW64\Jkgfgl32.exe Jennjblp.exe File opened for modification C:\Windows\SysWOW64\Kgkokjjd.exe Knckbe32.exe File created C:\Windows\SysWOW64\Nagegjio.dll Chdlidjm.exe File opened for modification C:\Windows\SysWOW64\Oiglfm32.exe Nbmcjc32.exe File created C:\Windows\SysWOW64\Cbfhjfdk.exe Cincaq32.exe File created C:\Windows\SysWOW64\Agednnhp.dll Hmojfcdk.exe File opened for modification C:\Windows\SysWOW64\Ickoimie.exe Ifgooikk.exe File created C:\Windows\SysWOW64\Dopkai32.exe Dcijmhdj.exe File created C:\Windows\SysWOW64\Kodkcbje.dll Opoocb32.exe File opened for modification C:\Windows\SysWOW64\Blpibghg.exe Abgeiaaf.exe File created C:\Windows\SysWOW64\Bhiglh32.exe Bncboo32.exe File created C:\Windows\SysWOW64\Ollkojil.dll Laccdp32.exe File created C:\Windows\SysWOW64\Aikine32.exe Apbeeppo.exe File created C:\Windows\SysWOW64\Hbagaa32.exe Hlgodgnk.exe File created C:\Windows\SysWOW64\Dncilhik.dll Bgagnjbi.exe File created C:\Windows\SysWOW64\Imccab32.exe Ickoimie.exe File created C:\Windows\SysWOW64\Jjgpjjak.exe Jmcpqfba.exe File created C:\Windows\SysWOW64\Ciecfp32.dll Qhejed32.exe File opened for modification C:\Windows\SysWOW64\Idojon32.exe Ilcfjkgj.exe File created C:\Windows\SysWOW64\Jjqlbdog.exe Idcdjmao.exe File opened for modification C:\Windows\SysWOW64\Amalcd32.exe Qcigjolm.exe File opened for modification C:\Windows\SysWOW64\Dmobpn32.exe Dcgmgh32.exe File created C:\Windows\SysWOW64\Lhclfphg.exe Lbfdnijp.exe File opened for modification C:\Windows\SysWOW64\Lmdnjf32.exe Lhgeao32.exe File created C:\Windows\SysWOW64\Klbmjnpk.dll Qfbahldf.exe File opened for modification C:\Windows\SysWOW64\Eelinm32.exe Emadjj32.exe File opened for modification C:\Windows\SysWOW64\Fibqhibd.exe Fcehpbdm.exe File opened for modification C:\Windows\SysWOW64\Gjhfkqdm.exe Gigjch32.exe File opened for modification C:\Windows\SysWOW64\Ghlgdecf.exe Genkhidc.exe File created C:\Windows\SysWOW64\Pbaide32.exe Pjfdpckc.exe File created C:\Windows\SysWOW64\Pdncfedn.dll Lggpdmap.exe File created C:\Windows\SysWOW64\Dmhocf32.dll Eakjophb.exe File created C:\Windows\SysWOW64\Gmkaphmi.dll Cfemdp32.exe File opened for modification C:\Windows\SysWOW64\Ghpngkhm.exe Gaffja32.exe File created C:\Windows\SysWOW64\Ppgked32.dll Aanonj32.exe File created C:\Windows\SysWOW64\Jmjibdoi.dll Pkeppngm.exe File created C:\Windows\SysWOW64\Kjdpcnfi.exe Khfcgbge.exe File created C:\Windows\SysWOW64\Jbkagpjl.dll Nncaejie.exe File created C:\Windows\SysWOW64\Bfiebedp.dll Peakkj32.exe File opened for modification C:\Windows\SysWOW64\Apbeeppo.exe Ajelmiag.exe File created C:\Windows\SysWOW64\Bjehlldb.exe Behpcefk.exe File created C:\Windows\SysWOW64\Jccphimo.dll Iniebmfg.exe File created C:\Windows\SysWOW64\Migbkglj.dll Ffoihepa.exe File created C:\Windows\SysWOW64\Kgjhdgmm.dll Eelinm32.exe File opened for modification C:\Windows\SysWOW64\Hhkjpi32.exe Hobfgcdb.exe File opened for modification C:\Windows\SysWOW64\Gibmglep.exe Gpihog32.exe File created C:\Windows\SysWOW64\Fioajqmb.exe Fdbibjok.exe File created C:\Windows\SysWOW64\Foacmg32.exe Fehodaqd.exe File created C:\Windows\SysWOW64\Ncnoaj32.exe Nldgdpjf.exe File created C:\Windows\SysWOW64\Ghlgdecf.exe Genkhidc.exe File created C:\Windows\SysWOW64\Bbkkbpjc.exe Bmnbjill.exe File created C:\Windows\SysWOW64\Bibkoabk.dll Dbnpcn32.exe File created C:\Windows\SysWOW64\Kjnkkn32.dll Gfnnmboa.exe File created C:\Windows\SysWOW64\Ojbachjd.dll Kfhmhi32.exe File created C:\Windows\SysWOW64\Lljolodf.exe Kofnbk32.exe File opened for modification C:\Windows\SysWOW64\Andlmnki.exe Adohpe32.exe File opened for modification C:\Windows\SysWOW64\Aagadh32.exe Aipickfe.exe File created C:\Windows\SysWOW64\Gonlld32.exe Geehcoaf.exe File created C:\Windows\SysWOW64\Gachcl32.dll Ickoimie.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 944 1816 WerFault.exe 514 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcohbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnmgic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjehlldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnbccia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnmda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbdgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmceomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qloiqcbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogkaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioapnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcahga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqejjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigmeagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpdiifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmkhmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnmjokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfcgbge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhmhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikine32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcodcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfdnnlbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcakdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blcmbmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifdjcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhihepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbfpafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfqclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okomappb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhlphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdlidjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peakkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kleeqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonlld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcfjkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgagnjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjpnjheg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnbjill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abejlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkiae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfqomom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aliejq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likaja32.dll" Jmcbio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhihepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID bab2a424e4ebcb621b8fe6f3b933d270N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhmfgdch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfdnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejbfc32.dll" Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmpehpj.dll" Mqoqlfkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdqlkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnielf32.dll" Adcakdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbcah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaojiqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcehpbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdfcaegj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjnje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biehcmhh.dll" Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkdakmp.dll" Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnkkn32.dll" Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facfgahm.dll" Jbmdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanenoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlinpd.dll" Agonig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefone32.dll" Fioajqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmclcjo.dll" Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmgna32.dll" Ofcnmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjacai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oinbglkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jldglccm.dll" Jjgpjjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigcomkk.dll" Mbqpgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidmniqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhnjclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbenmb32.dll" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmcmomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfmkcdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdnmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgpnn32.dll" Kofnbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhqpqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fibqhibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdchifik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmdig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aofhcmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnoopif.dll" Hegdinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahbcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfenml32.dll" Fmbkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnaj32.dll" Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjikmb32.dll" Peooek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knckbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffpfe32.dll" Pljnmkoo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 972 1272 bab2a424e4ebcb621b8fe6f3b933d270N.exe 29 PID 1272 wrote to memory of 972 1272 bab2a424e4ebcb621b8fe6f3b933d270N.exe 29 PID 1272 wrote to memory of 972 1272 bab2a424e4ebcb621b8fe6f3b933d270N.exe 29 PID 1272 wrote to memory of 972 1272 bab2a424e4ebcb621b8fe6f3b933d270N.exe 29 PID 972 wrote to memory of 2880 972 Nbmcjc32.exe 30 PID 972 wrote to memory of 2880 972 Nbmcjc32.exe 30 PID 972 wrote to memory of 2880 972 Nbmcjc32.exe 30 PID 972 wrote to memory of 2880 972 Nbmcjc32.exe 30 PID 2880 wrote to memory of 2852 2880 Oiglfm32.exe 31 PID 2880 wrote to memory of 2852 2880 Oiglfm32.exe 31 PID 2880 wrote to memory of 2852 2880 Oiglfm32.exe 31 PID 2880 wrote to memory of 2852 2880 Oiglfm32.exe 31 PID 2852 wrote to memory of 2812 2852 Ofklpa32.exe 32 PID 2852 wrote to memory of 2812 2852 Ofklpa32.exe 32 PID 2852 wrote to memory of 2812 2852 Ofklpa32.exe 32 PID 2852 wrote to memory of 2812 2852 Ofklpa32.exe 32 PID 2812 wrote to memory of 2648 2812 Ofmiea32.exe 33 PID 2812 wrote to memory of 2648 2812 Ofmiea32.exe 33 PID 2812 wrote to memory of 2648 2812 Ofmiea32.exe 33 PID 2812 wrote to memory of 2648 2812 Ofmiea32.exe 33 PID 2648 wrote to memory of 2240 2648 Onhnjclg.exe 34 PID 2648 wrote to memory of 2240 2648 Onhnjclg.exe 34 PID 2648 wrote to memory of 2240 2648 Onhnjclg.exe 34 PID 2648 wrote to memory of 2240 2648 Onhnjclg.exe 34 PID 2240 wrote to memory of 1728 2240 Oinbglkm.exe 35 PID 2240 wrote to memory of 1728 2240 Oinbglkm.exe 35 PID 2240 wrote to memory of 1728 2240 Oinbglkm.exe 35 PID 2240 wrote to memory of 1728 2240 Oinbglkm.exe 35 PID 1728 wrote to memory of 2072 1728 Odgchjhl.exe 36 PID 1728 wrote to memory of 2072 1728 Odgchjhl.exe 36 PID 1728 wrote to memory of 2072 1728 Odgchjhl.exe 36 PID 1728 wrote to memory of 2072 1728 Odgchjhl.exe 36 PID 2072 wrote to memory of 2996 2072 Pfhlie32.exe 37 PID 2072 wrote to memory of 2996 2072 Pfhlie32.exe 37 PID 2072 wrote to memory of 2996 2072 Pfhlie32.exe 37 PID 2072 wrote to memory of 2996 2072 Pfhlie32.exe 37 PID 2996 wrote to memory of 1332 2996 Pjfdpckc.exe 38 PID 2996 wrote to memory of 1332 2996 Pjfdpckc.exe 38 PID 2996 wrote to memory of 1332 2996 Pjfdpckc.exe 38 PID 2996 wrote to memory of 1332 2996 Pjfdpckc.exe 38 PID 1332 wrote to memory of 2476 1332 Pbaide32.exe 39 PID 1332 wrote to memory of 2476 1332 Pbaide32.exe 39 PID 1332 wrote to memory of 2476 1332 Pbaide32.exe 39 PID 1332 wrote to memory of 2476 1332 Pbaide32.exe 39 PID 2476 wrote to memory of 324 2476 Pljnmkoo.exe 40 PID 2476 wrote to memory of 324 2476 Pljnmkoo.exe 40 PID 2476 wrote to memory of 324 2476 Pljnmkoo.exe 40 PID 2476 wrote to memory of 324 2476 Pljnmkoo.exe 40 PID 324 wrote to memory of 2252 324 Pojgnf32.exe 41 PID 324 wrote to memory of 2252 324 Pojgnf32.exe 41 PID 324 wrote to memory of 2252 324 Pojgnf32.exe 41 PID 324 wrote to memory of 2252 324 Pojgnf32.exe 41 PID 2252 wrote to memory of 2164 2252 Qomcdf32.exe 42 PID 2252 wrote to memory of 2164 2252 Qomcdf32.exe 42 PID 2252 wrote to memory of 2164 2252 Qomcdf32.exe 42 PID 2252 wrote to memory of 2164 2252 Qomcdf32.exe 42 PID 2164 wrote to memory of 2484 2164 Akfaof32.exe 43 PID 2164 wrote to memory of 2484 2164 Akfaof32.exe 43 PID 2164 wrote to memory of 2484 2164 Akfaof32.exe 43 PID 2164 wrote to memory of 2484 2164 Akfaof32.exe 43 PID 2484 wrote to memory of 2608 2484 Ahjahk32.exe 44 PID 2484 wrote to memory of 2608 2484 Ahjahk32.exe 44 PID 2484 wrote to memory of 2608 2484 Ahjahk32.exe 44 PID 2484 wrote to memory of 2608 2484 Ahjahk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bab2a424e4ebcb621b8fe6f3b933d270N.exe"C:\Users\Admin\AppData\Local\Temp\bab2a424e4ebcb621b8fe6f3b933d270N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe33⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe36⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe37⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe38⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe41⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe42⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe43⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe44⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe48⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe49⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe50⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe52⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe53⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe54⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe57⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe59⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe61⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe62⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe66⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe68⤵PID:1588
-
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe71⤵PID:2248
-
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe73⤵PID:2836
-
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe74⤵PID:3000
-
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe76⤵PID:2084
-
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Jgfghodj.exeC:\Windows\system32\Jgfghodj.exe78⤵PID:2892
-
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe79⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe80⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe82⤵PID:2176
-
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe83⤵PID:1720
-
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe84⤵PID:2024
-
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe85⤵PID:840
-
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe87⤵PID:1236
-
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe89⤵PID:2932
-
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe90⤵PID:2844
-
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe91⤵PID:2660
-
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe92⤵PID:2616
-
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe93⤵PID:2492
-
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe94⤵PID:2960
-
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe95⤵PID:3024
-
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe96⤵PID:1800
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe97⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe99⤵PID:432
-
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Mhmfgdch.exeC:\Windows\system32\Mhmfgdch.exe102⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe103⤵PID:1460
-
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe104⤵PID:1608
-
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe106⤵PID:2656
-
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe107⤵PID:2980
-
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe109⤵
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe110⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe111⤵PID:2204
-
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe112⤵PID:1668
-
C:\Windows\SysWOW64\Nhookh32.exeC:\Windows\system32\Nhookh32.exe113⤵PID:616
-
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe114⤵PID:2400
-
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe115⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe116⤵PID:1436
-
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe117⤵PID:2664
-
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe118⤵PID:1520
-
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe119⤵PID:108
-
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe120⤵PID:2428
-
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe121⤵PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-