Analysis
-
max time kernel
44s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 08:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c8e712c20da43b95fa8f3aaa74b9580N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
5c8e712c20da43b95fa8f3aaa74b9580N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5c8e712c20da43b95fa8f3aaa74b9580N.exe
-
Size
78KB
-
MD5
5c8e712c20da43b95fa8f3aaa74b9580
-
SHA1
f4b1dcdff1aacb0e4ac1c1aed8e5c4fdb42c3d7f
-
SHA256
0d44af485570e1ebc49cd7b06ac11151e3c0afa80b02c6b587f6c7be25a60d9b
-
SHA512
8339b381229fa662f46085e27d32217b7225453647905c710452775d9eeb2eaba7d6e0c972662a4f560a53e0cbe9f27ddc2f98b3c92e4cf56621836707db4c72
-
SSDEEP
1536:KE1wzDo4sPIYyegPiUNyiVyN+zL20gJi1ie:jEo4swYy+HiVygzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occeip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfhglen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnkep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbgkgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamlel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blibghmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igffmkno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmpnjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbilhkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphlgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmoceol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmibjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpengf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpabdqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiimfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiiempl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlocka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpddgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmfin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjibgdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hengep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kninog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjdimdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmaad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdnop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgbgefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafedmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnhajlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjgbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfihml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elejqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjmekan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncljmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfhglen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igbqdlea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfofhic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeoimeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhbdpje.exe -
Executes dropped EXE 64 IoCs
pid Process 2392 Ilkpac32.exe 1812 Idbgbahq.exe 2948 Ilmlfcel.exe 2164 Igbqdlea.exe 1660 Ijampgde.exe 2664 Iciaim32.exe 2080 Jfhmehji.exe 2172 Jfjjkhhg.exe 2024 Jldbgb32.exe 352 Jobocn32.exe 2720 Jkioho32.exe 3016 Jkllnn32.exe 864 Jbedkhie.exe 1400 Jnlepioj.exe 2356 Kqkalenn.exe 2052 Kqmnadlk.exe 1368 Kfjfik32.exe 2616 Kjebjjck.exe 2012 Kobkbaac.exe 2252 Kbqgolpf.exe 1920 Kodghqop.exe 2744 Kbcddlnd.exe 1580 Kimlqfeq.exe 2788 Kkkhmadd.exe 2932 Knjdimdh.exe 2984 Kbeqjl32.exe 2860 Lnlaomae.exe 3032 Lajmkhai.exe 1824 Llpaha32.exe 2264 Lbjjekhl.exe 1624 Lckflc32.exe 1980 Ljeoimeg.exe 1652 Lmckeidj.exe 1240 Lekcffem.exe 1496 Lgiobadq.exe 3028 Lflonn32.exe 3008 Ljgkom32.exe 588 Lmfgkh32.exe 2512 Laackgka.exe 1148 Lpddgd32.exe 2056 Lhklha32.exe 264 Ljjhdm32.exe 1868 Limhpihl.exe 1380 Mcbmmbhb.exe 1256 Mbemho32.exe 2236 Mfqiingf.exe 672 Mjlejl32.exe 1952 Mioeeifi.exe 2844 Mlmaad32.exe 2976 Mddibb32.exe 2668 Mfceom32.exe 2828 Meffjjln.exe 1732 Mmmnkglp.exe 2032 Mpkjgckc.exe 328 Mbjfcnkg.exe 1484 Mfebdm32.exe 2192 Midnqh32.exe 2916 Mhfoleio.exe 2876 Mpngmb32.exe 2376 Moqgiopk.exe 1828 Maocekoo.exe 1984 Mifkfhpa.exe 1656 Mldgbcoe.exe 896 Moccnoni.exe -
Loads dropped DLL 64 IoCs
pid Process 1872 5c8e712c20da43b95fa8f3aaa74b9580N.exe 1872 5c8e712c20da43b95fa8f3aaa74b9580N.exe 2392 Ilkpac32.exe 2392 Ilkpac32.exe 1812 Idbgbahq.exe 1812 Idbgbahq.exe 2948 Ilmlfcel.exe 2948 Ilmlfcel.exe 2164 Igbqdlea.exe 2164 Igbqdlea.exe 1660 Ijampgde.exe 1660 Ijampgde.exe 2664 Iciaim32.exe 2664 Iciaim32.exe 2080 Jfhmehji.exe 2080 Jfhmehji.exe 2172 Jfjjkhhg.exe 2172 Jfjjkhhg.exe 2024 Jldbgb32.exe 2024 Jldbgb32.exe 352 Jobocn32.exe 352 Jobocn32.exe 2720 Jkioho32.exe 2720 Jkioho32.exe 3016 Jkllnn32.exe 3016 Jkllnn32.exe 864 Jbedkhie.exe 864 Jbedkhie.exe 1400 Jnlepioj.exe 1400 Jnlepioj.exe 2356 Kqkalenn.exe 2356 Kqkalenn.exe 2052 Kqmnadlk.exe 2052 Kqmnadlk.exe 1368 Kfjfik32.exe 1368 Kfjfik32.exe 2616 Kjebjjck.exe 2616 Kjebjjck.exe 2012 Kobkbaac.exe 2012 Kobkbaac.exe 2252 Kbqgolpf.exe 2252 Kbqgolpf.exe 1920 Kodghqop.exe 1920 Kodghqop.exe 2744 Kbcddlnd.exe 2744 Kbcddlnd.exe 1580 Kimlqfeq.exe 1580 Kimlqfeq.exe 2788 Kkkhmadd.exe 2788 Kkkhmadd.exe 2932 Knjdimdh.exe 2932 Knjdimdh.exe 2984 Kbeqjl32.exe 2984 Kbeqjl32.exe 2860 Lnlaomae.exe 2860 Lnlaomae.exe 3032 Lajmkhai.exe 3032 Lajmkhai.exe 1824 Llpaha32.exe 1824 Llpaha32.exe 2264 Lbjjekhl.exe 2264 Lbjjekhl.exe 1624 Lckflc32.exe 1624 Lckflc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Odfofhic.exe Onmfin32.exe File created C:\Windows\SysWOW64\Aglmbfdk.exe Aiimfi32.exe File opened for modification C:\Windows\SysWOW64\Ipaklm32.exe Ihjcko32.exe File created C:\Windows\SysWOW64\Jpqgkpcl.exe Jlekja32.exe File created C:\Windows\SysWOW64\Eocmep32.dll Nilndfgl.exe File created C:\Windows\SysWOW64\Hbfdeplh.dll Oipcnieb.exe File created C:\Windows\SysWOW64\Iciaim32.exe Ijampgde.exe File created C:\Windows\SysWOW64\Hjdlgkfb.dll Olimlf32.exe File created C:\Windows\SysWOW64\Flgdah32.dll Ohjmlaci.exe File opened for modification C:\Windows\SysWOW64\Gbheif32.exe Gnmihgkh.exe File opened for modification C:\Windows\SysWOW64\Hbknmicj.exe Hdhnal32.exe File created C:\Windows\SysWOW64\Hengep32.exe Habkeacd.exe File created C:\Windows\SysWOW64\Anmmjl32.dll Opebpdad.exe File created C:\Windows\SysWOW64\Clinfk32.exe Cikbjpqd.exe File opened for modification C:\Windows\SysWOW64\Cpbnaj32.exe Capmemci.exe File created C:\Windows\SysWOW64\Oipcnieb.exe Oeegnj32.exe File created C:\Windows\SysWOW64\Jjneoeeh.exe Jfbinf32.exe File created C:\Windows\SysWOW64\Nobpmb32.exe Npppaejj.exe File opened for modification C:\Windows\SysWOW64\Dammoahg.exe Dcjmcd32.exe File created C:\Windows\SysWOW64\Khcbpa32.exe Kdgfpbaf.exe File created C:\Windows\SysWOW64\Honblmaq.dll Miiaogio.exe File created C:\Windows\SysWOW64\Kjihci32.exe Kkfhglen.exe File opened for modification C:\Windows\SysWOW64\Oingii32.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Efcjij32.dll Kjebjjck.exe File opened for modification C:\Windows\SysWOW64\Fclbgj32.exe Feiaknmg.exe File created C:\Windows\SysWOW64\Eohhqjab.dll Lmqgec32.exe File opened for modification C:\Windows\SysWOW64\Ocihgo32.exe Opjlkc32.exe File created C:\Windows\SysWOW64\Mgpdil32.dll Pfoanp32.exe File opened for modification C:\Windows\SysWOW64\Blibghmm.exe Bikfklni.exe File created C:\Windows\SysWOW64\Ifhgcgjq.exe Ibmkbh32.exe File opened for modification C:\Windows\SysWOW64\Iaddid32.exe Iofhmi32.exe File created C:\Windows\SysWOW64\Ikcpoa32.dll Mfebdm32.exe File created C:\Windows\SysWOW64\Odiklh32.exe Oajopl32.exe File created C:\Windows\SysWOW64\Coelpahk.dll Pbjkop32.exe File opened for modification C:\Windows\SysWOW64\Pibgfjdh.exe Poibmdmh.exe File opened for modification C:\Windows\SysWOW64\Hnflnfbm.exe Hfodmhbk.exe File created C:\Windows\SysWOW64\Npbcjjnl.dll Jpcdqpqj.exe File created C:\Windows\SysWOW64\Fnklgh32.dll Pglacbbo.exe File opened for modification C:\Windows\SysWOW64\Ajcldpkd.exe Abldccka.exe File opened for modification C:\Windows\SysWOW64\Fjaqhe32.exe Fgcdlj32.exe File created C:\Windows\SysWOW64\Mmijgm32.dll Jfjjkhhg.exe File opened for modification C:\Windows\SysWOW64\Agccbenc.exe Acggbffj.exe File created C:\Windows\SysWOW64\Jhenggfi.dll Mmpcdfem.exe File opened for modification C:\Windows\SysWOW64\Aafnpkii.exe Anhbdpje.exe File created C:\Windows\SysWOW64\Onobqhia.dll Oolbcaij.exe File created C:\Windows\SysWOW64\Gmapcm32.dll Pqplqile.exe File opened for modification C:\Windows\SysWOW64\Pncljmko.exe Pjhpin32.exe File opened for modification C:\Windows\SysWOW64\Jbedkhie.exe Jkllnn32.exe File created C:\Windows\SysWOW64\Hmneebeb.exe Hjoiiffo.exe File opened for modification C:\Windows\SysWOW64\Apnhggln.exe Aakhkj32.exe File created C:\Windows\SysWOW64\Kdokmeph.dll Bpbabf32.exe File created C:\Windows\SysWOW64\Ldlipnke.dll Fqilppic.exe File opened for modification C:\Windows\SysWOW64\Mdmhfpkg.exe Manljd32.exe File opened for modification C:\Windows\SysWOW64\Dhgelk32.exe Ddliklgk.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Ebkilnbk.dll Dkeahf32.exe File opened for modification C:\Windows\SysWOW64\Kdlpkb32.exe Kbncof32.exe File created C:\Windows\SysWOW64\Kjnanhhc.exe Kgoebmip.exe File opened for modification C:\Windows\SysWOW64\Lmfgkh32.exe Ljgkom32.exe File created C:\Windows\SysWOW64\Qifpqi32.exe Qbmhdp32.exe File created C:\Windows\SysWOW64\Aiflpm32.exe Ajcldpkd.exe File opened for modification C:\Windows\SysWOW64\Leqeed32.exe Lbbiii32.exe File opened for modification C:\Windows\SysWOW64\Nkjdcp32.exe Mlgdhcmb.exe File opened for modification C:\Windows\SysWOW64\Pqdelh32.exe Pmiikipg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5604 5540 WerFault.exe 559 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gindjqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khglkqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbgbahq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odckfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfeop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnhajlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iockhigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepach32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmckeidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbolkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igffmkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjgckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlogjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmaeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclfhgaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcblkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknmicj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqemeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiimfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnalcqpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccecheeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpddgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnlnaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepnkjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjebjjck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laackgka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklmhcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafkookd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelljepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majcoepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfceom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epipql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcmlnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemhjlha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poibmdmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekcffem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpqgkpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfogneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafnpkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidfjckg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olimlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knmmkb32.dll" Habkeacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kninog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camqpnel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbknmicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdlpgkc.dll" Ajapoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll" Mbjfcnkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdqcfdkh.dll" Mjddnjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfoikga.dll" Gindjqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfoej32.dll" Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljppd32.dll" Mmmnkglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmd32.dll" Bleilh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohphgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll" Npnclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiimfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knpkhhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njbnon32.dll" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnjlg32.dll" Moccnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdefco.dll" Aiimfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdmkmgf.dll" Oikapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknnnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npnclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfmjoqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmikpngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iofhmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odoakckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll" Nklaipbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okqgcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkldgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cllkkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieppjclf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoanp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhbpahan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdipfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkiicbg.dll" Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnflnfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igffmkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdhpcc.dll" Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbbiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll" Malpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkqpnqp.dll" Nahfkigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knmhidaa.dll" Pkpcbecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffjmq32.dll" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbpahan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamlel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgecc32.dll" Mjbghkfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkdmi32.dll" Cojghf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2392 1872 5c8e712c20da43b95fa8f3aaa74b9580N.exe 30 PID 1872 wrote to memory of 2392 1872 5c8e712c20da43b95fa8f3aaa74b9580N.exe 30 PID 1872 wrote to memory of 2392 1872 5c8e712c20da43b95fa8f3aaa74b9580N.exe 30 PID 1872 wrote to memory of 2392 1872 5c8e712c20da43b95fa8f3aaa74b9580N.exe 30 PID 2392 wrote to memory of 1812 2392 Ilkpac32.exe 31 PID 2392 wrote to memory of 1812 2392 Ilkpac32.exe 31 PID 2392 wrote to memory of 1812 2392 Ilkpac32.exe 31 PID 2392 wrote to memory of 1812 2392 Ilkpac32.exe 31 PID 1812 wrote to memory of 2948 1812 Idbgbahq.exe 32 PID 1812 wrote to memory of 2948 1812 Idbgbahq.exe 32 PID 1812 wrote to memory of 2948 1812 Idbgbahq.exe 32 PID 1812 wrote to memory of 2948 1812 Idbgbahq.exe 32 PID 2948 wrote to memory of 2164 2948 Ilmlfcel.exe 33 PID 2948 wrote to memory of 2164 2948 Ilmlfcel.exe 33 PID 2948 wrote to memory of 2164 2948 Ilmlfcel.exe 33 PID 2948 wrote to memory of 2164 2948 Ilmlfcel.exe 33 PID 2164 wrote to memory of 1660 2164 Igbqdlea.exe 34 PID 2164 wrote to memory of 1660 2164 Igbqdlea.exe 34 PID 2164 wrote to memory of 1660 2164 Igbqdlea.exe 34 PID 2164 wrote to memory of 1660 2164 Igbqdlea.exe 34 PID 1660 wrote to memory of 2664 1660 Ijampgde.exe 35 PID 1660 wrote to memory of 2664 1660 Ijampgde.exe 35 PID 1660 wrote to memory of 2664 1660 Ijampgde.exe 35 PID 1660 wrote to memory of 2664 1660 Ijampgde.exe 35 PID 2664 wrote to memory of 2080 2664 Iciaim32.exe 36 PID 2664 wrote to memory of 2080 2664 Iciaim32.exe 36 PID 2664 wrote to memory of 2080 2664 Iciaim32.exe 36 PID 2664 wrote to memory of 2080 2664 Iciaim32.exe 36 PID 2080 wrote to memory of 2172 2080 Jfhmehji.exe 37 PID 2080 wrote to memory of 2172 2080 Jfhmehji.exe 37 PID 2080 wrote to memory of 2172 2080 Jfhmehji.exe 37 PID 2080 wrote to memory of 2172 2080 Jfhmehji.exe 37 PID 2172 wrote to memory of 2024 2172 Jfjjkhhg.exe 38 PID 2172 wrote to memory of 2024 2172 Jfjjkhhg.exe 38 PID 2172 wrote to memory of 2024 2172 Jfjjkhhg.exe 38 PID 2172 wrote to memory of 2024 2172 Jfjjkhhg.exe 38 PID 2024 wrote to memory of 352 2024 Jldbgb32.exe 39 PID 2024 wrote to memory of 352 2024 Jldbgb32.exe 39 PID 2024 wrote to memory of 352 2024 Jldbgb32.exe 39 PID 2024 wrote to memory of 352 2024 Jldbgb32.exe 39 PID 352 wrote to memory of 2720 352 Jobocn32.exe 40 PID 352 wrote to memory of 2720 352 Jobocn32.exe 40 PID 352 wrote to memory of 2720 352 Jobocn32.exe 40 PID 352 wrote to memory of 2720 352 Jobocn32.exe 40 PID 2720 wrote to memory of 3016 2720 Jkioho32.exe 41 PID 2720 wrote to memory of 3016 2720 Jkioho32.exe 41 PID 2720 wrote to memory of 3016 2720 Jkioho32.exe 41 PID 2720 wrote to memory of 3016 2720 Jkioho32.exe 41 PID 3016 wrote to memory of 864 3016 Jkllnn32.exe 42 PID 3016 wrote to memory of 864 3016 Jkllnn32.exe 42 PID 3016 wrote to memory of 864 3016 Jkllnn32.exe 42 PID 3016 wrote to memory of 864 3016 Jkllnn32.exe 42 PID 864 wrote to memory of 1400 864 Jbedkhie.exe 43 PID 864 wrote to memory of 1400 864 Jbedkhie.exe 43 PID 864 wrote to memory of 1400 864 Jbedkhie.exe 43 PID 864 wrote to memory of 1400 864 Jbedkhie.exe 43 PID 1400 wrote to memory of 2356 1400 Jnlepioj.exe 44 PID 1400 wrote to memory of 2356 1400 Jnlepioj.exe 44 PID 1400 wrote to memory of 2356 1400 Jnlepioj.exe 44 PID 1400 wrote to memory of 2356 1400 Jnlepioj.exe 44 PID 2356 wrote to memory of 2052 2356 Kqkalenn.exe 45 PID 2356 wrote to memory of 2052 2356 Kqkalenn.exe 45 PID 2356 wrote to memory of 2052 2356 Kqkalenn.exe 45 PID 2356 wrote to memory of 2052 2356 Kqkalenn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8e712c20da43b95fa8f3aaa74b9580N.exe"C:\Users\Admin\AppData\Local\Temp\5c8e712c20da43b95fa8f3aaa74b9580N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jbedkhie.exeC:\Windows\system32\Jbedkhie.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Jnlepioj.exeC:\Windows\system32\Jnlepioj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Kbqgolpf.exeC:\Windows\system32\Kbqgolpf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Kodghqop.exeC:\Windows\system32\Kodghqop.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Kimlqfeq.exeC:\Windows\system32\Kimlqfeq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Knjdimdh.exeC:\Windows\system32\Knjdimdh.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Kbeqjl32.exeC:\Windows\system32\Kbeqjl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Lbjjekhl.exeC:\Windows\system32\Lbjjekhl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Lckflc32.exeC:\Windows\system32\Lckflc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Ljeoimeg.exeC:\Windows\system32\Ljeoimeg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe37⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe39⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Lhklha32.exeC:\Windows\system32\Lhklha32.exe42⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe43⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe44⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe45⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Mbemho32.exeC:\Windows\system32\Mbemho32.exe46⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe47⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe48⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe49⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe51⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mfceom32.exeC:\Windows\system32\Mfceom32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Meffjjln.exeC:\Windows\system32\Meffjjln.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Midnqh32.exeC:\Windows\system32\Midnqh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mpngmb32.exeC:\Windows\system32\Mpngmb32.exe60⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Moqgiopk.exeC:\Windows\system32\Moqgiopk.exe61⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe62⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Mifkfhpa.exeC:\Windows\system32\Mifkfhpa.exe63⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mldgbcoe.exeC:\Windows\system32\Mldgbcoe.exe64⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Maapjjml.exeC:\Windows\system32\Maapjjml.exe66⤵PID:1196
-
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe67⤵PID:1628
-
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe68⤵PID:1108
-
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe69⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe70⤵PID:2344
-
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe71⤵PID:2816
-
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Neohqicc.exeC:\Windows\system32\Neohqicc.exe73⤵PID:908
-
C:\Windows\SysWOW64\Nhnemdbf.exeC:\Windows\system32\Nhnemdbf.exe74⤵PID:1948
-
C:\Windows\SysWOW64\Nklaipbj.exeC:\Windows\system32\Nklaipbj.exe75⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe76⤵PID:712
-
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe78⤵PID:2912
-
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe79⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Nhpabdqd.exeC:\Windows\system32\Nhpabdqd.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Nknnnoph.exeC:\Windows\system32\Nknnnoph.exe81⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe82⤵PID:1820
-
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe83⤵PID:1376
-
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe84⤵
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Ndgbgefh.exeC:\Windows\system32\Ndgbgefh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe86⤵PID:1528
-
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe87⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Nkqjdo32.exeC:\Windows\system32\Nkqjdo32.exe88⤵PID:2096
-
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe89⤵PID:2696
-
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Npnclf32.exeC:\Windows\system32\Npnclf32.exe91⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe92⤵PID:2324
-
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe93⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Nobpmb32.exeC:\Windows\system32\Nobpmb32.exe94⤵PID:1808
-
C:\Windows\SysWOW64\Ncnlnaim.exeC:\Windows\system32\Ncnlnaim.exe95⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe96⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe97⤵PID:2632
-
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe98⤵PID:1680
-
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe99⤵
- System Location Discovery: System Language Discovery
PID:608 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe100⤵PID:2400
-
C:\Windows\SysWOW64\Oikapk32.exeC:\Windows\system32\Oikapk32.exe101⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe102⤵PID:1712
-
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe104⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Occeip32.exeC:\Windows\system32\Occeip32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Oafedmlb.exeC:\Windows\system32\Oafedmlb.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe107⤵PID:2432
-
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe108⤵PID:2900
-
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe109⤵PID:324
-
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe112⤵PID:1356
-
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe113⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe114⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe115⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Odiklh32.exeC:\Windows\system32\Odiklh32.exe116⤵PID:2736
-
C:\Windows\SysWOW64\Oggghc32.exeC:\Windows\system32\Oggghc32.exe117⤵PID:828
-
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe118⤵PID:2180
-
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe119⤵PID:972
-
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe120⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-