Analysis
-
max time kernel
110s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f0d1b877842afd15f0e0164ecb78110N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4f0d1b877842afd15f0e0164ecb78110N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4f0d1b877842afd15f0e0164ecb78110N.exe
-
Size
80KB
-
MD5
4f0d1b877842afd15f0e0164ecb78110
-
SHA1
99f51745657b89f4bb785f06bd9b63aa1ce85cea
-
SHA256
95a435fbb92df6d4656f8ce4037e56a2392a01390af00e66ea83b0cef6b39050
-
SHA512
5b1938288c8eff9484617e22d6a2e7cacf2d03ff5f57d3658497f3f0f10a49ba82f6566f0e3fb6ad5f5bb8d18ca57f74532b8f16d43aaefd4b8740f557236430
-
SSDEEP
1536:/iiJmC2xzRqW3npvlbZgPiU1GU2L4VCYrum8SPG2:/lJ2x0Qnp0KcGtWVT8SL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeammok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacgli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnogmbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpkepnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooaflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaqnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkiikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkancm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbbbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogbllfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofajcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmaghc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggofcmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoqofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knapen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbejj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imccab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egegnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmdpcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doapanne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehopnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeljlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakaheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommdqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eckopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiflgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpiqel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdnmda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjglcmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmcapna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icadpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppidbidd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leilnllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbdpena.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhpgeeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidchjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahoamplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifmqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdljghj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjogidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeakonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idjlbqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdobjgqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchobqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lophcpam.exe -
Executes dropped EXE 64 IoCs
pid Process 2728 Midqiaih.exe 2844 Mbmebgpi.exe 2972 Mifmoa32.exe 2660 Nepkia32.exe 2632 Nmmlccfp.exe 3064 Nmpiicdm.exe 344 Ofjjghik.exe 2552 Oikcicfl.exe 1460 Okolfkjg.exe 824 Oakaheoa.exe 1476 Pghjqlmi.exe 3000 Pmdocf32.exe 1756 Ppegdapd.exe 2424 Pimlmf32.exe 2312 Pjpicfdb.exe 972 Qakmghbm.exe 1812 Qhgbibgg.exe 552 Afkccffq.exe 2560 Anfggicl.exe 1544 Ahllda32.exe 2556 Aqgqid32.exe 1820 Aklefm32.exe 2456 Ajaagi32.exe 2340 Aonjpp32.exe 2496 Bqngjcje.exe 2504 Bbocak32.exe 2576 Bocckoom.exe 2296 Bkjdpp32.exe 2796 Bnhqll32.exe 2888 Bebiifka.exe 2900 Bklaepbn.exe 2804 Bedene32.exe 2408 Bnmjgkpo.exe 2304 Cegbce32.exe 1264 Cmbghgdg.exe 2564 Cfkkam32.exe 2956 Ccolja32.exe 2144 Cmgpcg32.exe 2732 Cbcikn32.exe 2876 Cpgieb32.exe 2180 Dmljnfll.exe 1776 Degobhjg.exe 960 Dlqgob32.exe 1868 Deikhhhe.exe 2492 Doapanne.exe 684 Ddnhidmm.exe 1796 Egdjfo32.exe 540 Elqcnfdp.exe 3032 Ecjkkp32.exe 2372 Eidchjbi.exe 1708 Epnldd32.exe 2168 Eghdanac.exe 2896 Eigpmjqg.exe 2808 Epqhjdhc.exe 2840 Eenabkfk.exe 2120 Elgioe32.exe 964 Fcaaloed.exe 1760 Fdcncg32.exe 2880 Fkmfpabp.exe 1316 Fdekigip.exe 2232 Faikbkhj.exe 1296 Fhccoe32.exe 2984 Fnplgl32.exe 2356 Fcmdpcle.exe -
Loads dropped DLL 64 IoCs
pid Process 2480 4f0d1b877842afd15f0e0164ecb78110N.exe 2480 4f0d1b877842afd15f0e0164ecb78110N.exe 2728 Midqiaih.exe 2728 Midqiaih.exe 2844 Mbmebgpi.exe 2844 Mbmebgpi.exe 2972 Mifmoa32.exe 2972 Mifmoa32.exe 2660 Nepkia32.exe 2660 Nepkia32.exe 2632 Nmmlccfp.exe 2632 Nmmlccfp.exe 3064 Nmpiicdm.exe 3064 Nmpiicdm.exe 344 Ofjjghik.exe 344 Ofjjghik.exe 2552 Oikcicfl.exe 2552 Oikcicfl.exe 1460 Okolfkjg.exe 1460 Okolfkjg.exe 824 Oakaheoa.exe 824 Oakaheoa.exe 1476 Pghjqlmi.exe 1476 Pghjqlmi.exe 3000 Pmdocf32.exe 3000 Pmdocf32.exe 1756 Ppegdapd.exe 1756 Ppegdapd.exe 2424 Pimlmf32.exe 2424 Pimlmf32.exe 2312 Pjpicfdb.exe 2312 Pjpicfdb.exe 972 Qakmghbm.exe 972 Qakmghbm.exe 1812 Qhgbibgg.exe 1812 Qhgbibgg.exe 552 Afkccffq.exe 552 Afkccffq.exe 2560 Anfggicl.exe 2560 Anfggicl.exe 1544 Ahllda32.exe 1544 Ahllda32.exe 2556 Aqgqid32.exe 2556 Aqgqid32.exe 1820 Aklefm32.exe 1820 Aklefm32.exe 2456 Ajaagi32.exe 2456 Ajaagi32.exe 2340 Aonjpp32.exe 2340 Aonjpp32.exe 2496 Bqngjcje.exe 2496 Bqngjcje.exe 2504 Bbocak32.exe 2504 Bbocak32.exe 2576 Bocckoom.exe 2576 Bocckoom.exe 2296 Bkjdpp32.exe 2296 Bkjdpp32.exe 2796 Bnhqll32.exe 2796 Bnhqll32.exe 2888 Bebiifka.exe 2888 Bebiifka.exe 2900 Bklaepbn.exe 2900 Bklaepbn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pemjdi32.dll Eigpmjqg.exe File opened for modification C:\Windows\SysWOW64\Nbddfe32.exe Mchadifq.exe File created C:\Windows\SysWOW64\Qdhcinme.exe Qgdbpi32.exe File created C:\Windows\SysWOW64\Jaahgd32.exe Jjdcdjcm.exe File opened for modification C:\Windows\SysWOW64\Majdkifd.exe Mdfcaegj.exe File opened for modification C:\Windows\SysWOW64\Jkpkepnn.exe Jdfche32.exe File created C:\Windows\SysWOW64\Jfdmbl32.dll Ifiilp32.exe File created C:\Windows\SysWOW64\Opfjnm32.dll Cjkcedgp.exe File created C:\Windows\SysWOW64\Jjdcdjcm.exe Jchobqnc.exe File opened for modification C:\Windows\SysWOW64\Odckho32.exe Oofbph32.exe File opened for modification C:\Windows\SysWOW64\Okmceiii.exe Odckho32.exe File created C:\Windows\SysWOW64\Ceqlff32.exe Ccbojk32.exe File created C:\Windows\SysWOW64\Lfoiil32.dll Fflgahfm.exe File created C:\Windows\SysWOW64\Bbkmki32.exe Bgaljk32.exe File created C:\Windows\SysWOW64\Iodggl32.dll Pmdocf32.exe File opened for modification C:\Windows\SysWOW64\Jonqfq32.exe Jhchjgoh.exe File created C:\Windows\SysWOW64\Bcpiombe.exe Aggkdlod.exe File created C:\Windows\SysWOW64\Fkafkl32.dll Kmpfgklo.exe File created C:\Windows\SysWOW64\Keedfp32.dll Gepeep32.exe File opened for modification C:\Windows\SysWOW64\Ffahgn32.exe Fmicnhob.exe File created C:\Windows\SysWOW64\Nipgab32.exe Nphbhm32.exe File created C:\Windows\SysWOW64\Dnnoof32.dll Ehfjbd32.exe File created C:\Windows\SysWOW64\Gmcogf32.exe Fnnbfjmp.exe File created C:\Windows\SysWOW64\Goeoie32.dll Eenabkfk.exe File created C:\Windows\SysWOW64\Fleihi32.exe Fcmdpcle.exe File opened for modification C:\Windows\SysWOW64\Kmpfgklo.exe Kplfmfmf.exe File opened for modification C:\Windows\SysWOW64\Bhngbm32.exe Bnicddki.exe File opened for modification C:\Windows\SysWOW64\Chdeonfa.exe Cajmbd32.exe File created C:\Windows\SysWOW64\Jocfda32.dll Fbeeliin.exe File created C:\Windows\SysWOW64\Jgbpfhpc.exe Igpcpi32.exe File created C:\Windows\SysWOW64\Mbmebgpi.exe Midqiaih.exe File created C:\Windows\SysWOW64\Kekkkm32.exe Kmpfgklo.exe File opened for modification C:\Windows\SysWOW64\Mqoqlfkl.exe Mkbhco32.exe File opened for modification C:\Windows\SysWOW64\Pciiccbm.exe Ocglmcdp.exe File created C:\Windows\SysWOW64\Emdgjpkd.exe Elbkbh32.exe File created C:\Windows\SysWOW64\Lgjllm32.dll Dohnfc32.exe File created C:\Windows\SysWOW64\Femcap32.dll Ffiebc32.exe File created C:\Windows\SysWOW64\Koidficq.exe Kfqpmc32.exe File created C:\Windows\SysWOW64\Mhpeem32.exe Mlidplcf.exe File created C:\Windows\SysWOW64\Kdefdjnl.exe Kjmeaa32.exe File opened for modification C:\Windows\SysWOW64\Hhfcnb32.exe Halkahoo.exe File opened for modification C:\Windows\SysWOW64\Iiablido.exe Hddjcbfh.exe File created C:\Windows\SysWOW64\Cjmaed32.exe Bfohoe32.exe File created C:\Windows\SysWOW64\Cnkifmfo.dll Ppegdapd.exe File created C:\Windows\SysWOW64\Dknehe32.exe Dklibf32.exe File created C:\Windows\SysWOW64\Ohhijpea.dll Ljogknmf.exe File opened for modification C:\Windows\SysWOW64\Ambnlmja.exe Adgihkmf.exe File created C:\Windows\SysWOW64\Dheljhof.exe Dnpgmp32.exe File opened for modification C:\Windows\SysWOW64\Hchpjddc.exe Hmnhnk32.exe File opened for modification C:\Windows\SysWOW64\Mchadifq.exe Mhopcl32.exe File opened for modification C:\Windows\SysWOW64\Odmgnl32.exe Nhffikob.exe File created C:\Windows\SysWOW64\Icnnfilc.dll Eecgafkj.exe File created C:\Windows\SysWOW64\Immbmp32.dll Gddpndhp.exe File opened for modification C:\Windows\SysWOW64\Mdfcaegj.exe Mknohpqj.exe File opened for modification C:\Windows\SysWOW64\Emdgjpkd.exe Elbkbh32.exe File opened for modification C:\Windows\SysWOW64\Hphljkfk.exe Hkkcbdhc.exe File created C:\Windows\SysWOW64\Hcjpcmjg.exe Hgconl32.exe File opened for modification C:\Windows\SysWOW64\Ijokcl32.exe Hinolcbf.exe File created C:\Windows\SysWOW64\Hmpepjid.dll Hafdbmjp.exe File created C:\Windows\SysWOW64\Beokkc32.dll Kokppd32.exe File created C:\Windows\SysWOW64\Odfjdk32.exe Oiqegb32.exe File opened for modification C:\Windows\SysWOW64\Gjolpkhj.exe Gacgli32.exe File created C:\Windows\SysWOW64\Bjomoo32.exe Bcbhmehg.exe File created C:\Windows\SysWOW64\Kgjhdgmm.dll Ekcdegqe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2332 2340 WerFault.exe 949 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiablido.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchkjhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coidpiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjnioae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfdfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghklq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnlqjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgalnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lheilofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcdpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degobhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhfhaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifmoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncejcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adohpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opdkgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppegdapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkahbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnnpbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkike32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhagb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgadeee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlanf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqfdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnhcdkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midqiaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclkcdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maplcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdeaohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnqeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgehfodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbdpena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchobqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghhngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edieng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomdmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohoogbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffndghdj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnknedk.dll" Pfjbdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folmgc32.dll" Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclhpp32.dll" Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccjn32.dll" Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmpij32.dll" Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leilnllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhcnb32.dll" Fbkgjgqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjbdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgkike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehfjbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlppf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokkkgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oglfodai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 4f0d1b877842afd15f0e0164ecb78110N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhmm32.dll" Cgmndokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mljgmiaq.dll" Ijmdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doapanne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngpac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmdbkbpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajmihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocodbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibbqmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amdhidqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcnmapk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogigpllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncgfohq.dll" Meonlkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eabgjeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfganb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcchl32.dll" Ibmhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaolne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmcde32.dll" Bqngjcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkafkl32.dll" Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpjcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffabjf32.dll" Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pflacgaa.dll" Kkmddmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplalb32.dll" Dmljnfll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oacdmpan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaeni32.dll" Mgalnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clphjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnkpaedi.dll" Blejgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclbgadl.dll" Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfiaemdb.dll" Oofbph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdaedhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgmkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adenqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepmokco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmddmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicjf32.dll" Imccab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpdie32.dll" Kbgnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjlglao.dll" Noighakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehfjbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ificlp32.dll" Bklaepbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhonn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2728 2480 4f0d1b877842afd15f0e0164ecb78110N.exe 30 PID 2480 wrote to memory of 2728 2480 4f0d1b877842afd15f0e0164ecb78110N.exe 30 PID 2480 wrote to memory of 2728 2480 4f0d1b877842afd15f0e0164ecb78110N.exe 30 PID 2480 wrote to memory of 2728 2480 4f0d1b877842afd15f0e0164ecb78110N.exe 30 PID 2728 wrote to memory of 2844 2728 Midqiaih.exe 31 PID 2728 wrote to memory of 2844 2728 Midqiaih.exe 31 PID 2728 wrote to memory of 2844 2728 Midqiaih.exe 31 PID 2728 wrote to memory of 2844 2728 Midqiaih.exe 31 PID 2844 wrote to memory of 2972 2844 Mbmebgpi.exe 32 PID 2844 wrote to memory of 2972 2844 Mbmebgpi.exe 32 PID 2844 wrote to memory of 2972 2844 Mbmebgpi.exe 32 PID 2844 wrote to memory of 2972 2844 Mbmebgpi.exe 32 PID 2972 wrote to memory of 2660 2972 Mifmoa32.exe 33 PID 2972 wrote to memory of 2660 2972 Mifmoa32.exe 33 PID 2972 wrote to memory of 2660 2972 Mifmoa32.exe 33 PID 2972 wrote to memory of 2660 2972 Mifmoa32.exe 33 PID 2660 wrote to memory of 2632 2660 Nepkia32.exe 34 PID 2660 wrote to memory of 2632 2660 Nepkia32.exe 34 PID 2660 wrote to memory of 2632 2660 Nepkia32.exe 34 PID 2660 wrote to memory of 2632 2660 Nepkia32.exe 34 PID 2632 wrote to memory of 3064 2632 Nmmlccfp.exe 35 PID 2632 wrote to memory of 3064 2632 Nmmlccfp.exe 35 PID 2632 wrote to memory of 3064 2632 Nmmlccfp.exe 35 PID 2632 wrote to memory of 3064 2632 Nmmlccfp.exe 35 PID 3064 wrote to memory of 344 3064 Nmpiicdm.exe 36 PID 3064 wrote to memory of 344 3064 Nmpiicdm.exe 36 PID 3064 wrote to memory of 344 3064 Nmpiicdm.exe 36 PID 3064 wrote to memory of 344 3064 Nmpiicdm.exe 36 PID 344 wrote to memory of 2552 344 Ofjjghik.exe 37 PID 344 wrote to memory of 2552 344 Ofjjghik.exe 37 PID 344 wrote to memory of 2552 344 Ofjjghik.exe 37 PID 344 wrote to memory of 2552 344 Ofjjghik.exe 37 PID 2552 wrote to memory of 1460 2552 Oikcicfl.exe 38 PID 2552 wrote to memory of 1460 2552 Oikcicfl.exe 38 PID 2552 wrote to memory of 1460 2552 Oikcicfl.exe 38 PID 2552 wrote to memory of 1460 2552 Oikcicfl.exe 38 PID 1460 wrote to memory of 824 1460 Okolfkjg.exe 39 PID 1460 wrote to memory of 824 1460 Okolfkjg.exe 39 PID 1460 wrote to memory of 824 1460 Okolfkjg.exe 39 PID 1460 wrote to memory of 824 1460 Okolfkjg.exe 39 PID 824 wrote to memory of 1476 824 Oakaheoa.exe 40 PID 824 wrote to memory of 1476 824 Oakaheoa.exe 40 PID 824 wrote to memory of 1476 824 Oakaheoa.exe 40 PID 824 wrote to memory of 1476 824 Oakaheoa.exe 40 PID 1476 wrote to memory of 3000 1476 Pghjqlmi.exe 41 PID 1476 wrote to memory of 3000 1476 Pghjqlmi.exe 41 PID 1476 wrote to memory of 3000 1476 Pghjqlmi.exe 41 PID 1476 wrote to memory of 3000 1476 Pghjqlmi.exe 41 PID 3000 wrote to memory of 1756 3000 Pmdocf32.exe 42 PID 3000 wrote to memory of 1756 3000 Pmdocf32.exe 42 PID 3000 wrote to memory of 1756 3000 Pmdocf32.exe 42 PID 3000 wrote to memory of 1756 3000 Pmdocf32.exe 42 PID 1756 wrote to memory of 2424 1756 Ppegdapd.exe 43 PID 1756 wrote to memory of 2424 1756 Ppegdapd.exe 43 PID 1756 wrote to memory of 2424 1756 Ppegdapd.exe 43 PID 1756 wrote to memory of 2424 1756 Ppegdapd.exe 43 PID 2424 wrote to memory of 2312 2424 Pimlmf32.exe 44 PID 2424 wrote to memory of 2312 2424 Pimlmf32.exe 44 PID 2424 wrote to memory of 2312 2424 Pimlmf32.exe 44 PID 2424 wrote to memory of 2312 2424 Pimlmf32.exe 44 PID 2312 wrote to memory of 972 2312 Pjpicfdb.exe 45 PID 2312 wrote to memory of 972 2312 Pjpicfdb.exe 45 PID 2312 wrote to memory of 972 2312 Pjpicfdb.exe 45 PID 2312 wrote to memory of 972 2312 Pjpicfdb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0d1b877842afd15f0e0164ecb78110N.exe"C:\Users\Admin\AppData\Local\Temp\4f0d1b877842afd15f0e0164ecb78110N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Midqiaih.exeC:\Windows\system32\Midqiaih.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe33⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe34⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe35⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe36⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe37⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe38⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe39⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe40⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe41⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe44⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe45⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe47⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Egdjfo32.exeC:\Windows\system32\Egdjfo32.exe48⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe49⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe50⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe52⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe53⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Eenabkfk.exeC:\Windows\system32\Eenabkfk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe57⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe58⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Fdcncg32.exeC:\Windows\system32\Fdcncg32.exe59⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe61⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe62⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe63⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Fnplgl32.exeC:\Windows\system32\Fnplgl32.exe64⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe66⤵PID:2920
-
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe67⤵PID:1752
-
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe68⤵PID:1704
-
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe70⤵PID:1508
-
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe74⤵PID:3052
-
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe75⤵PID:2488
-
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe76⤵PID:2572
-
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe77⤵PID:1532
-
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe78⤵PID:328
-
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe79⤵PID:432
-
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe80⤵PID:2676
-
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe82⤵PID:944
-
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe83⤵PID:2204
-
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe84⤵PID:2992
-
C:\Windows\SysWOW64\Heqfdh32.exeC:\Windows\system32\Heqfdh32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe86⤵PID:436
-
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe87⤵PID:3068
-
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe88⤵PID:2252
-
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe89⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe90⤵PID:2604
-
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe91⤵PID:2692
-
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:864 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe93⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe94⤵PID:1992
-
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe95⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe96⤵PID:2068
-
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe97⤵PID:1860
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe98⤵PID:1972
-
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe99⤵PID:2000
-
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe100⤵PID:1072
-
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe101⤵PID:3040
-
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe102⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe103⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe104⤵PID:2768
-
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe105⤵PID:1744
-
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe106⤵PID:2760
-
C:\Windows\SysWOW64\Jkfnaa32.exeC:\Windows\system32\Jkfnaa32.exe107⤵PID:2648
-
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe109⤵PID:2908
-
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe110⤵PID:812
-
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe111⤵PID:1928
-
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe112⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe113⤵PID:1128
-
C:\Windows\SysWOW64\Kheaoj32.exeC:\Windows\system32\Kheaoj32.exe114⤵PID:2996
-
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe115⤵PID:1808
-
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe116⤵PID:856
-
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe117⤵PID:2752
-
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe118⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe119⤵PID:556
-
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe121⤵PID:928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-