Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 13:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5cbfed8b434981395fcd1dd1933aa520N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
5cbfed8b434981395fcd1dd1933aa520N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5cbfed8b434981395fcd1dd1933aa520N.exe
-
Size
280KB
-
MD5
5cbfed8b434981395fcd1dd1933aa520
-
SHA1
b10870ddb61e83b205e1009b1c0c4780eaacd107
-
SHA256
41e95f2be344d3dcfddeee2acd4d487ee7b9e25b3b154e136b41c9a589106bc6
-
SHA512
ddac30999ef3e37b92aff98a0e7c4e0440c2edb87e8433bb9ce78e5ef18c29aedc00e68e9e2b6ba5a78a168199f6e6a79a64b734ad75c3cd2edaae67eb2798f8
-
SSDEEP
3072:ZgZ8TGSFXcM+qnpKeL34hZK7xVG9Btj676ZBI:ZlTZFfDoeL3qZo4tjS6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pabncj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhgidjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhckloge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nanhihno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjeknfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioaobjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheofahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnkpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgbmoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdoocdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaqhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheofahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdfemkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcblgbfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmjjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgjee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkobgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhekfeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caccnllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkbpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjkpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmmcgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijfihip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akbelbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efkbdbai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankhmncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epipql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhgidjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkpng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgfpbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miiaogio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmokioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjeknfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhckloge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbgbahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgogla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqgolpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgeahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckndmaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocqhcqgk.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 Idbgbahq.exe 2712 Ialadj32.exe 2904 Jdmjfe32.exe 2732 Jqhdfe32.exe 2444 Kfjfik32.exe 2312 Kbqgolpf.exe 2376 Lpiacp32.exe 1120 Llbnnq32.exe 1496 Limhpihl.exe 2624 Mioeeifi.exe 2520 Mejoei32.exe 520 Mbopon32.exe 2168 Nafiej32.exe 2340 Nmmjjk32.exe 2068 Ncnlnaim.exe 2196 Ocqhcqgk.exe 1600 Oqmokioh.exe 1476 Pamlel32.exe 1768 Pcqebd32.exe 2024 Pmiikipg.exe 2932 Pibgfjdh.exe 1692 Abaaoodq.exe 1280 Amkbpm32.exe 2944 Afcghbgp.exe 1688 Amplklmj.exe 1936 Bleilh32.exe 1516 Blgeahoo.exe 2660 Bebfpm32.exe 2564 Befpkmph.exe 2584 Camqpnel.exe 2560 Cdqfgh32.exe 1636 Cllkkk32.exe 2388 Cpidai32.exe 1980 Dndndbnl.exe 736 Dpdfemkm.exe 2748 Epipql32.exe 1260 Elpqemll.exe 1708 Elbmkm32.exe 2320 Efkbdbai.exe 2740 Ebdoocdk.exe 1648 Fgqhgjbb.exe 1388 Fdehpn32.exe 2460 Fjaqhe32.exe 1776 Fcjeakfd.exe 2404 Fclbgj32.exe 1356 Fmdfppkb.exe 2028 Fjhgidjk.exe 1304 Gmipko32.exe 2308 Gfadcemm.exe 1572 Gbheif32.exe 2184 Glaiak32.exe 2152 Ghgjflof.exe 2836 Gapoob32.exe 928 Hmgodc32.exe 2372 Hjkpng32.exe 2920 Hjmmcgha.exe 2860 Hpjeknfi.exe 2988 Hmneebeb.exe 580 Hffjng32.exe 1644 Hmpbja32.exe 1364 Ioaobjin.exe 1344 Iockhigl.exe 1908 Ilhlan32.exe 1508 Iainddpg.exe -
Loads dropped DLL 64 IoCs
pid Process 1292 5cbfed8b434981395fcd1dd1933aa520N.exe 1292 5cbfed8b434981395fcd1dd1933aa520N.exe 2976 Idbgbahq.exe 2976 Idbgbahq.exe 2712 Ialadj32.exe 2712 Ialadj32.exe 2904 Jdmjfe32.exe 2904 Jdmjfe32.exe 2732 Jqhdfe32.exe 2732 Jqhdfe32.exe 2444 Kfjfik32.exe 2444 Kfjfik32.exe 2312 Kbqgolpf.exe 2312 Kbqgolpf.exe 2376 Lpiacp32.exe 2376 Lpiacp32.exe 1120 Llbnnq32.exe 1120 Llbnnq32.exe 1496 Limhpihl.exe 1496 Limhpihl.exe 2624 Mioeeifi.exe 2624 Mioeeifi.exe 2520 Mejoei32.exe 2520 Mejoei32.exe 520 Mbopon32.exe 520 Mbopon32.exe 2168 Nafiej32.exe 2168 Nafiej32.exe 2340 Nmmjjk32.exe 2340 Nmmjjk32.exe 2068 Ncnlnaim.exe 2068 Ncnlnaim.exe 2196 Ocqhcqgk.exe 2196 Ocqhcqgk.exe 1600 Oqmokioh.exe 1600 Oqmokioh.exe 1476 Pamlel32.exe 1476 Pamlel32.exe 1768 Pcqebd32.exe 1768 Pcqebd32.exe 2024 Pmiikipg.exe 2024 Pmiikipg.exe 2932 Pibgfjdh.exe 2932 Pibgfjdh.exe 1692 Abaaoodq.exe 1692 Abaaoodq.exe 1280 Amkbpm32.exe 1280 Amkbpm32.exe 2944 Afcghbgp.exe 2944 Afcghbgp.exe 1688 Amplklmj.exe 1688 Amplklmj.exe 1936 Bleilh32.exe 1936 Bleilh32.exe 1516 Blgeahoo.exe 1516 Blgeahoo.exe 2660 Bebfpm32.exe 2660 Bebfpm32.exe 2564 Befpkmph.exe 2564 Befpkmph.exe 2584 Camqpnel.exe 2584 Camqpnel.exe 2560 Cdqfgh32.exe 2560 Cdqfgh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mejoei32.exe Mioeeifi.exe File opened for modification C:\Windows\SysWOW64\Afcghbgp.exe Amkbpm32.exe File opened for modification C:\Windows\SysWOW64\Lmnkpc32.exe Lfdbcing.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Ocihgo32.exe File created C:\Windows\SysWOW64\Nqhblj32.dll Oheppe32.exe File created C:\Windows\SysWOW64\Qkgjae32.dll Hmpbja32.exe File opened for modification C:\Windows\SysWOW64\Kdgfpbaf.exe Jkobgm32.exe File opened for modification C:\Windows\SysWOW64\Mnijnjbh.exe Laeidfdn.exe File created C:\Windows\SysWOW64\Mlfibh32.dll Aijfihip.exe File created C:\Windows\SysWOW64\Blgeahoo.exe Bleilh32.exe File opened for modification C:\Windows\SysWOW64\Ilhlan32.exe Iockhigl.exe File created C:\Windows\SysWOW64\Mcicjgkh.dll Kdlpkb32.exe File created C:\Windows\SysWOW64\Hgeahj32.dll Qqldpfmh.exe File created C:\Windows\SysWOW64\Polhjf32.dll Akphfbbl.exe File created C:\Windows\SysWOW64\Jmdieknp.dll Afcghbgp.exe File created C:\Windows\SysWOW64\Bleilh32.exe Amplklmj.exe File created C:\Windows\SysWOW64\Gfadcemm.exe Gmipko32.exe File created C:\Windows\SysWOW64\Fphepgbl.dll Hmneebeb.exe File created C:\Windows\SysWOW64\Jcoimalh.dll Aodnfbpm.exe File created C:\Windows\SysWOW64\Pcqebd32.exe Pamlel32.exe File created C:\Windows\SysWOW64\Glaiak32.exe Gbheif32.exe File created C:\Windows\SysWOW64\Imgmggec.dll Jkobgm32.exe File created C:\Windows\SysWOW64\Lfdbcing.exe Kninog32.exe File created C:\Windows\SysWOW64\Gcjajedk.dll Nmmjjk32.exe File opened for modification C:\Windows\SysWOW64\Dpdfemkm.exe Dndndbnl.exe File created C:\Windows\SysWOW64\Ajkhhfhl.dll Jcaqmkpn.exe File created C:\Windows\SysWOW64\Nanhihno.exe Nhfdqb32.exe File created C:\Windows\SysWOW64\Pkplgoop.exe Pnllnk32.exe File created C:\Windows\SysWOW64\Pnllnk32.exe Phocfd32.exe File opened for modification C:\Windows\SysWOW64\Pabncj32.exe Plffkc32.exe File created C:\Windows\SysWOW64\Dlkqpg32.exe Dcblgbfe.exe File opened for modification C:\Windows\SysWOW64\Abaaoodq.exe Pibgfjdh.exe File opened for modification C:\Windows\SysWOW64\Fjhgidjk.exe Fmdfppkb.exe File opened for modification C:\Windows\SysWOW64\Glaiak32.exe Gbheif32.exe File created C:\Windows\SysWOW64\Dblangpk.dll Iainddpg.exe File created C:\Windows\SysWOW64\Qcpnob32.dll Panehkaj.exe File created C:\Windows\SysWOW64\Odckfb32.exe Okkfmmqj.exe File opened for modification C:\Windows\SysWOW64\Idbgbahq.exe 5cbfed8b434981395fcd1dd1933aa520N.exe File opened for modification C:\Windows\SysWOW64\Kbqgolpf.exe Kfjfik32.exe File opened for modification C:\Windows\SysWOW64\Befpkmph.exe Bebfpm32.exe File created C:\Windows\SysWOW64\Acbdcjgi.dll Gfadcemm.exe File created C:\Windows\SysWOW64\Hmneebeb.exe Hpjeknfi.exe File opened for modification C:\Windows\SysWOW64\Panehkaj.exe Oheppe32.exe File opened for modification C:\Windows\SysWOW64\Pniohk32.exe Pgogla32.exe File opened for modification C:\Windows\SysWOW64\Dijgnm32.exe Dcpoab32.exe File opened for modification C:\Windows\SysWOW64\Blgeahoo.exe Bleilh32.exe File opened for modification C:\Windows\SysWOW64\Fcjeakfd.exe Fjaqhe32.exe File created C:\Windows\SysWOW64\Glgpghnp.dll Cpidai32.exe File created C:\Windows\SysWOW64\Mloecb32.dll Pmiikipg.exe File created C:\Windows\SysWOW64\Elbmkm32.exe Elpqemll.exe File opened for modification C:\Windows\SysWOW64\Gapoob32.exe Ghgjflof.exe File created C:\Windows\SysWOW64\Ckkika32.dll Elbmkm32.exe File opened for modification C:\Windows\SysWOW64\Hffjng32.exe Hmneebeb.exe File created C:\Windows\SysWOW64\Dlhlca32.dll Dmcgik32.exe File created C:\Windows\SysWOW64\Akbelbpi.exe Abiqcm32.exe File created C:\Windows\SysWOW64\Kfjfik32.exe Jqhdfe32.exe File created C:\Windows\SysWOW64\Gmipko32.exe Fjhgidjk.exe File created C:\Windows\SysWOW64\Dmlibo32.dll Niqgof32.exe File created C:\Windows\SysWOW64\Nhmiqo32.dll Nhfdqb32.exe File created C:\Windows\SysWOW64\Abgqlf32.dll Ankhmncb.exe File created C:\Windows\SysWOW64\Agefobee.dll Pniohk32.exe File created C:\Windows\SysWOW64\Chkoef32.exe Cbnfmo32.exe File created C:\Windows\SysWOW64\Gmqlkcao.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Gobdgmhm.dll Ckndmaad.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 540 1988 WerFault.exe 172 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcblgbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eceimadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbgbahq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnkpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pniohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cligkdlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bleilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpoppadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnfmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmneebeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajibckpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkobgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiaogio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgogla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndndbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epipql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamlel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfimhmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camqpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodnfbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhgidjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaqmkpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgfpbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbheif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbelbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjeknfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdlpkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngaig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkaaolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amplklmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdoocdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcqebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmokioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadcemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgeahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqoaefke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkbqfcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaoodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeakfd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjeakfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbkchj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nanhihno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiohpojo.dll" Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laeidfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akbelbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmiikipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjaqc32.dll" Epipql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebdoocdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmodmbk.dll" Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akphfbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijfihip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgbmoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idbgbahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpcdjii.dll" Pibgfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kheofahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpmek32.dll" Fgqhgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll" Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll" Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegknghg.dll" Befpkmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camqpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnbagpd.dll" Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaqehcbj.dll" Jcdmbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ialadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfepmgj.dll" Amkbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjkpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfbimjl.dll" Pgogla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoimalh.dll" Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abiqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipanan32.dll" Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migdig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 5cbfed8b434981395fcd1dd1933aa520N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmdfppkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcqoqi32.dll" Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgabfa32.dll" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll" Akbelbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhdfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpcei32.dll" Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgckc32.dll" Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikkoh32.dll" Odoakckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodnfbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmneebeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifoem32.dll" Dcblgbfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mejoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdifkdm.dll" Ebdoocdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikljfbm.dll" Fcjeakfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfoikga.dll" Fjhgidjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfimhmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nafiej32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2976 1292 5cbfed8b434981395fcd1dd1933aa520N.exe 30 PID 1292 wrote to memory of 2976 1292 5cbfed8b434981395fcd1dd1933aa520N.exe 30 PID 1292 wrote to memory of 2976 1292 5cbfed8b434981395fcd1dd1933aa520N.exe 30 PID 1292 wrote to memory of 2976 1292 5cbfed8b434981395fcd1dd1933aa520N.exe 30 PID 2976 wrote to memory of 2712 2976 Idbgbahq.exe 31 PID 2976 wrote to memory of 2712 2976 Idbgbahq.exe 31 PID 2976 wrote to memory of 2712 2976 Idbgbahq.exe 31 PID 2976 wrote to memory of 2712 2976 Idbgbahq.exe 31 PID 2712 wrote to memory of 2904 2712 Ialadj32.exe 32 PID 2712 wrote to memory of 2904 2712 Ialadj32.exe 32 PID 2712 wrote to memory of 2904 2712 Ialadj32.exe 32 PID 2712 wrote to memory of 2904 2712 Ialadj32.exe 32 PID 2904 wrote to memory of 2732 2904 Jdmjfe32.exe 33 PID 2904 wrote to memory of 2732 2904 Jdmjfe32.exe 33 PID 2904 wrote to memory of 2732 2904 Jdmjfe32.exe 33 PID 2904 wrote to memory of 2732 2904 Jdmjfe32.exe 33 PID 2732 wrote to memory of 2444 2732 Jqhdfe32.exe 34 PID 2732 wrote to memory of 2444 2732 Jqhdfe32.exe 34 PID 2732 wrote to memory of 2444 2732 Jqhdfe32.exe 34 PID 2732 wrote to memory of 2444 2732 Jqhdfe32.exe 34 PID 2444 wrote to memory of 2312 2444 Kfjfik32.exe 35 PID 2444 wrote to memory of 2312 2444 Kfjfik32.exe 35 PID 2444 wrote to memory of 2312 2444 Kfjfik32.exe 35 PID 2444 wrote to memory of 2312 2444 Kfjfik32.exe 35 PID 2312 wrote to memory of 2376 2312 Kbqgolpf.exe 36 PID 2312 wrote to memory of 2376 2312 Kbqgolpf.exe 36 PID 2312 wrote to memory of 2376 2312 Kbqgolpf.exe 36 PID 2312 wrote to memory of 2376 2312 Kbqgolpf.exe 36 PID 2376 wrote to memory of 1120 2376 Lpiacp32.exe 37 PID 2376 wrote to memory of 1120 2376 Lpiacp32.exe 37 PID 2376 wrote to memory of 1120 2376 Lpiacp32.exe 37 PID 2376 wrote to memory of 1120 2376 Lpiacp32.exe 37 PID 1120 wrote to memory of 1496 1120 Llbnnq32.exe 38 PID 1120 wrote to memory of 1496 1120 Llbnnq32.exe 38 PID 1120 wrote to memory of 1496 1120 Llbnnq32.exe 38 PID 1120 wrote to memory of 1496 1120 Llbnnq32.exe 38 PID 1496 wrote to memory of 2624 1496 Limhpihl.exe 39 PID 1496 wrote to memory of 2624 1496 Limhpihl.exe 39 PID 1496 wrote to memory of 2624 1496 Limhpihl.exe 39 PID 1496 wrote to memory of 2624 1496 Limhpihl.exe 39 PID 2624 wrote to memory of 2520 2624 Mioeeifi.exe 40 PID 2624 wrote to memory of 2520 2624 Mioeeifi.exe 40 PID 2624 wrote to memory of 2520 2624 Mioeeifi.exe 40 PID 2624 wrote to memory of 2520 2624 Mioeeifi.exe 40 PID 2520 wrote to memory of 520 2520 Mejoei32.exe 41 PID 2520 wrote to memory of 520 2520 Mejoei32.exe 41 PID 2520 wrote to memory of 520 2520 Mejoei32.exe 41 PID 2520 wrote to memory of 520 2520 Mejoei32.exe 41 PID 520 wrote to memory of 2168 520 Mbopon32.exe 42 PID 520 wrote to memory of 2168 520 Mbopon32.exe 42 PID 520 wrote to memory of 2168 520 Mbopon32.exe 42 PID 520 wrote to memory of 2168 520 Mbopon32.exe 42 PID 2168 wrote to memory of 2340 2168 Nafiej32.exe 43 PID 2168 wrote to memory of 2340 2168 Nafiej32.exe 43 PID 2168 wrote to memory of 2340 2168 Nafiej32.exe 43 PID 2168 wrote to memory of 2340 2168 Nafiej32.exe 43 PID 2340 wrote to memory of 2068 2340 Nmmjjk32.exe 44 PID 2340 wrote to memory of 2068 2340 Nmmjjk32.exe 44 PID 2340 wrote to memory of 2068 2340 Nmmjjk32.exe 44 PID 2340 wrote to memory of 2068 2340 Nmmjjk32.exe 44 PID 2068 wrote to memory of 2196 2068 Ncnlnaim.exe 45 PID 2068 wrote to memory of 2196 2068 Ncnlnaim.exe 45 PID 2068 wrote to memory of 2196 2068 Ncnlnaim.exe 45 PID 2068 wrote to memory of 2196 2068 Ncnlnaim.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cbfed8b434981395fcd1dd1933aa520N.exe"C:\Users\Admin\AppData\Local\Temp\5cbfed8b434981395fcd1dd1933aa520N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Kbqgolpf.exeC:\Windows\system32\Kbqgolpf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Llbnnq32.exeC:\Windows\system32\Llbnnq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Nafiej32.exeC:\Windows\system32\Nafiej32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ncnlnaim.exeC:\Windows\system32\Ncnlnaim.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Pcqebd32.exeC:\Windows\system32\Pcqebd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Abaaoodq.exeC:\Windows\system32\Abaaoodq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Afcghbgp.exeC:\Windows\system32\Afcghbgp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe33⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe43⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe55⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe69⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe75⤵PID:1784
-
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe77⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe78⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe80⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Loocanbe.exeC:\Windows\system32\Loocanbe.exe81⤵PID:1100
-
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe82⤵PID:1472
-
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe83⤵PID:824
-
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe84⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe89⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe91⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe94⤵PID:2344
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe99⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe102⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe103⤵PID:2268
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe104⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe106⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Plffkc32.exeC:\Windows\system32\Plffkc32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Pniohk32.exeC:\Windows\system32\Pniohk32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe113⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe114⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Qqldpfmh.exeC:\Windows\system32\Qqldpfmh.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Qqoaefke.exeC:\Windows\system32\Qqoaefke.exe118⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Aijfihip.exeC:\Windows\system32\Aijfihip.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-