Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 02:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7c18c49e65443eedb6d2b87d5600b00N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f7c18c49e65443eedb6d2b87d5600b00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f7c18c49e65443eedb6d2b87d5600b00N.exe
-
Size
96KB
-
MD5
f7c18c49e65443eedb6d2b87d5600b00
-
SHA1
cbec11844d4966183cdecf9c049aa7a6b0164022
-
SHA256
9c1c7a7f269d97bf938f9722b19c1c9e23d1758988306577d347b7568f4d32b7
-
SHA512
2e796641a90aea1ffaad93a4c599dc1d24264c2bd1a0fe89ca35c3666c8c5f3263d66a19f7b15df4fe209ac70062aef778ce98ef49483679ca4aa9e999543071
-
SSDEEP
1536:Drxsq2OORUMOlIx4OolgSglkKtr2Lwb7RZObZUUWaegPYA:6tsImO6gSg2KGoClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmneda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqacic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okanklik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oappcfmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbomfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bonoflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdklf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomfkndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhohda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbbbffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe -
Executes dropped EXE 64 IoCs
pid Process 2788 Fljafg32.exe 2844 Fnhnbb32.exe 3032 Fhqbkhch.exe 2600 Faigdn32.exe 2852 Gdgcpi32.exe 332 Gjakmc32.exe 1096 Gmpgio32.exe 1836 Gpncej32.exe 2652 Ghelfg32.exe 1672 Ganpomec.exe 1268 Gdllkhdg.exe 2828 Gbomfe32.exe 868 Giieco32.exe 2232 Gmdadnkh.exe 2280 Gdniqh32.exe 684 Gmgninie.exe 796 Gljnej32.exe 3052 Gfobbc32.exe 1552 Gebbnpfp.exe 1396 Ghqnjk32.exe 1376 Hpgfki32.exe 2444 Haiccald.exe 2972 Hipkdnmf.exe 2404 Hlngpjlj.exe 2812 Homclekn.exe 2612 Hakphqja.exe 2748 Hhehek32.exe 2580 Hmbpmapf.exe 2636 Heihnoph.exe 576 Hgjefg32.exe 1540 Hapicp32.exe 2180 Hdnepk32.exe 2212 Hhjapjmi.exe 2496 Hpefdl32.exe 2144 Iccbqh32.exe 2224 Iimjmbae.exe 300 Inifnq32.exe 1812 Icfofg32.exe 2292 Igakgfpn.exe 2420 Inkccpgk.exe 2164 Ilncom32.exe 1784 Iompkh32.exe 1000 Iefhhbef.exe 1296 Ijbdha32.exe 1352 Iheddndj.exe 1360 Ioolqh32.exe 2032 Icjhagdp.exe 2740 Iamimc32.exe 1636 Ieidmbcc.exe 1304 Ijdqna32.exe 2584 Ilcmjl32.exe 1660 Ikfmfi32.exe 1524 Iapebchh.exe 2880 Ifkacb32.exe 588 Idnaoohk.exe 1048 Ileiplhn.exe 1956 Jocflgga.exe 856 Jnffgd32.exe 1608 Jfnnha32.exe 2268 Jhljdm32.exe 2056 Jkjfah32.exe 1156 Jnicmdli.exe 700 Jbdonb32.exe 1568 Jdbkjn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2724 f7c18c49e65443eedb6d2b87d5600b00N.exe 2724 f7c18c49e65443eedb6d2b87d5600b00N.exe 2788 Fljafg32.exe 2788 Fljafg32.exe 2844 Fnhnbb32.exe 2844 Fnhnbb32.exe 3032 Fhqbkhch.exe 3032 Fhqbkhch.exe 2600 Faigdn32.exe 2600 Faigdn32.exe 2852 Gdgcpi32.exe 2852 Gdgcpi32.exe 332 Gjakmc32.exe 332 Gjakmc32.exe 1096 Gmpgio32.exe 1096 Gmpgio32.exe 1836 Gpncej32.exe 1836 Gpncej32.exe 2652 Ghelfg32.exe 2652 Ghelfg32.exe 1672 Ganpomec.exe 1672 Ganpomec.exe 1268 Gdllkhdg.exe 1268 Gdllkhdg.exe 2828 Gbomfe32.exe 2828 Gbomfe32.exe 868 Giieco32.exe 868 Giieco32.exe 2232 Gmdadnkh.exe 2232 Gmdadnkh.exe 2280 Gdniqh32.exe 2280 Gdniqh32.exe 684 Gmgninie.exe 684 Gmgninie.exe 796 Gljnej32.exe 796 Gljnej32.exe 3052 Gfobbc32.exe 3052 Gfobbc32.exe 1552 Gebbnpfp.exe 1552 Gebbnpfp.exe 1396 Ghqnjk32.exe 1396 Ghqnjk32.exe 1376 Hpgfki32.exe 1376 Hpgfki32.exe 2444 Haiccald.exe 2444 Haiccald.exe 2972 Hipkdnmf.exe 2972 Hipkdnmf.exe 2404 Hlngpjlj.exe 2404 Hlngpjlj.exe 2812 Homclekn.exe 2812 Homclekn.exe 2612 Hakphqja.exe 2612 Hakphqja.exe 2748 Hhehek32.exe 2748 Hhehek32.exe 2580 Hmbpmapf.exe 2580 Hmbpmapf.exe 2636 Heihnoph.exe 2636 Heihnoph.exe 576 Hgjefg32.exe 576 Hgjefg32.exe 1540 Hapicp32.exe 1540 Hapicp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pfdabino.exe Pgbafl32.exe File opened for modification C:\Windows\SysWOW64\Bdkgocpm.exe Behgcf32.exe File created C:\Windows\SysWOW64\Migbnb32.exe Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Nlekia32.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Oagmmgdm.exe Oohqqlei.exe File created C:\Windows\SysWOW64\Ebpopmpp.dll Fhqbkhch.exe File created C:\Windows\SysWOW64\Lcojjmea.exe Leljop32.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Ackkppma.exe File opened for modification C:\Windows\SysWOW64\Giieco32.exe Gbomfe32.exe File opened for modification C:\Windows\SysWOW64\Ileiplhn.exe Idnaoohk.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Bhhpeafc.exe File created C:\Windows\SysWOW64\Hebpjd32.dll Jghmfhmb.exe File created C:\Windows\SysWOW64\Niebhf32.exe Ngfflj32.exe File opened for modification C:\Windows\SysWOW64\Qijdocfj.exe Qflhbhgg.exe File opened for modification C:\Windows\SysWOW64\Abeemhkh.exe Qjnmlk32.exe File opened for modification C:\Windows\SysWOW64\Jnicmdli.exe Jkjfah32.exe File created C:\Windows\SysWOW64\Pcfefmnk.exe Pqhijbog.exe File created C:\Windows\SysWOW64\Llohjo32.exe Liplnc32.exe File created C:\Windows\SysWOW64\Lcnaga32.dll Okoafmkm.exe File created C:\Windows\SysWOW64\Oappcfmb.exe Onecbg32.exe File opened for modification C:\Windows\SysWOW64\Oappcfmb.exe Onecbg32.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Mahqjm32.dll Nlekia32.exe File created C:\Windows\SysWOW64\Bjdmohgl.dll Lcojjmea.exe File created C:\Windows\SysWOW64\Liplnc32.exe Ljmlbfhi.exe File created C:\Windows\SysWOW64\Ocdneocc.dll Pngphgbf.exe File created C:\Windows\SysWOW64\Abeemhkh.exe Qjnmlk32.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Amcpie32.exe File created C:\Windows\SysWOW64\Iompkh32.exe Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Jfiale32.exe Jcjdpj32.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bfkpqn32.exe File created C:\Windows\SysWOW64\Jfnnha32.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Kilfcpqm.exe Kbbngf32.exe File created C:\Windows\SysWOW64\Meijhc32.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Ncpcfkbg.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Gdplpd32.dll Pfgngh32.exe File opened for modification C:\Windows\SysWOW64\Bdmddc32.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Hhmkol32.dll Faigdn32.exe File created C:\Windows\SysWOW64\Kbfhbeek.exe Kohkfj32.exe File created C:\Windows\SysWOW64\Poceplpj.dll Lpjdjmfp.exe File opened for modification C:\Windows\SysWOW64\Mbmjah32.exe Moanaiie.exe File created C:\Windows\SysWOW64\Ghkekdhl.dll Onbgmg32.exe File opened for modification C:\Windows\SysWOW64\Bhhpeafc.exe Bdmddc32.exe File created C:\Windows\SysWOW64\Ghfnkn32.dll Gebbnpfp.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Ohcaoajg.exe Odhfob32.exe File created C:\Windows\SysWOW64\Pomfkndo.exe Pmojocel.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe File created C:\Windows\SysWOW64\Knmhgf32.exe Kpjhkjde.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Lcagpl32.exe File opened for modification C:\Windows\SysWOW64\Agfgqo32.exe Ackkppma.exe File created C:\Windows\SysWOW64\Idnaoohk.exe Ifkacb32.exe File opened for modification C:\Windows\SysWOW64\Moidahcn.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Ceamohhb.dll Npccpo32.exe File created C:\Windows\SysWOW64\Bmnbjfam.dll Abphal32.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Llcefjgf.exe File opened for modification C:\Windows\SysWOW64\Gdgcpi32.exe Faigdn32.exe File created C:\Windows\SysWOW64\Bohnbn32.dll Knmhgf32.exe File opened for modification C:\Windows\SysWOW64\Lcojjmea.exe Leljop32.exe File created C:\Windows\SysWOW64\Nmbknddp.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Deokbacp.dll Beejng32.exe File created C:\Windows\SysWOW64\Fljafg32.exe f7c18c49e65443eedb6d2b87d5600b00N.exe File created C:\Windows\SysWOW64\Jcmafj32.exe Jnpinc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3344 3980 WerFault.exe 321 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaheie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moanaiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7c18c49e65443eedb6d2b87d5600b00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liplnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mholen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopfakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqacic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oappcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcmjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiigmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdllkhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkccpgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olonpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganpomec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkolkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmneda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcaoajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpjakhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apalea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmlhchd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnnha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileiplhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kconkibf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclnemgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mponel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajecmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimjmbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npojdpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjghhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aecaidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkdnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjcplpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmcqkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdniqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollajp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebbnpfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcibkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflhbhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhngjmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmfqkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niikceid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoafmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okanklik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiladcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckjkl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncfoa32.dll" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoleq32.dll" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll" Olonpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkol32.dll" Faigdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kilfcpqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjhagdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ganpomec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll" Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblihc32.dll" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll" Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giicle32.dll" Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinekb32.dll" Igakgfpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iccbqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjnamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnecca.dll" Jqlhdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclnemgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohqqlei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpceidcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggeiabkc.dll" Ganpomec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaiibg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll" Ngfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll" Oqacic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qodlkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpcbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjqcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjghhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2788 2724 f7c18c49e65443eedb6d2b87d5600b00N.exe 30 PID 2724 wrote to memory of 2788 2724 f7c18c49e65443eedb6d2b87d5600b00N.exe 30 PID 2724 wrote to memory of 2788 2724 f7c18c49e65443eedb6d2b87d5600b00N.exe 30 PID 2724 wrote to memory of 2788 2724 f7c18c49e65443eedb6d2b87d5600b00N.exe 30 PID 2788 wrote to memory of 2844 2788 Fljafg32.exe 31 PID 2788 wrote to memory of 2844 2788 Fljafg32.exe 31 PID 2788 wrote to memory of 2844 2788 Fljafg32.exe 31 PID 2788 wrote to memory of 2844 2788 Fljafg32.exe 31 PID 2844 wrote to memory of 3032 2844 Fnhnbb32.exe 32 PID 2844 wrote to memory of 3032 2844 Fnhnbb32.exe 32 PID 2844 wrote to memory of 3032 2844 Fnhnbb32.exe 32 PID 2844 wrote to memory of 3032 2844 Fnhnbb32.exe 32 PID 3032 wrote to memory of 2600 3032 Fhqbkhch.exe 33 PID 3032 wrote to memory of 2600 3032 Fhqbkhch.exe 33 PID 3032 wrote to memory of 2600 3032 Fhqbkhch.exe 33 PID 3032 wrote to memory of 2600 3032 Fhqbkhch.exe 33 PID 2600 wrote to memory of 2852 2600 Faigdn32.exe 34 PID 2600 wrote to memory of 2852 2600 Faigdn32.exe 34 PID 2600 wrote to memory of 2852 2600 Faigdn32.exe 34 PID 2600 wrote to memory of 2852 2600 Faigdn32.exe 34 PID 2852 wrote to memory of 332 2852 Gdgcpi32.exe 35 PID 2852 wrote to memory of 332 2852 Gdgcpi32.exe 35 PID 2852 wrote to memory of 332 2852 Gdgcpi32.exe 35 PID 2852 wrote to memory of 332 2852 Gdgcpi32.exe 35 PID 332 wrote to memory of 1096 332 Gjakmc32.exe 36 PID 332 wrote to memory of 1096 332 Gjakmc32.exe 36 PID 332 wrote to memory of 1096 332 Gjakmc32.exe 36 PID 332 wrote to memory of 1096 332 Gjakmc32.exe 36 PID 1096 wrote to memory of 1836 1096 Gmpgio32.exe 37 PID 1096 wrote to memory of 1836 1096 Gmpgio32.exe 37 PID 1096 wrote to memory of 1836 1096 Gmpgio32.exe 37 PID 1096 wrote to memory of 1836 1096 Gmpgio32.exe 37 PID 1836 wrote to memory of 2652 1836 Gpncej32.exe 38 PID 1836 wrote to memory of 2652 1836 Gpncej32.exe 38 PID 1836 wrote to memory of 2652 1836 Gpncej32.exe 38 PID 1836 wrote to memory of 2652 1836 Gpncej32.exe 38 PID 2652 wrote to memory of 1672 2652 Ghelfg32.exe 39 PID 2652 wrote to memory of 1672 2652 Ghelfg32.exe 39 PID 2652 wrote to memory of 1672 2652 Ghelfg32.exe 39 PID 2652 wrote to memory of 1672 2652 Ghelfg32.exe 39 PID 1672 wrote to memory of 1268 1672 Ganpomec.exe 40 PID 1672 wrote to memory of 1268 1672 Ganpomec.exe 40 PID 1672 wrote to memory of 1268 1672 Ganpomec.exe 40 PID 1672 wrote to memory of 1268 1672 Ganpomec.exe 40 PID 1268 wrote to memory of 2828 1268 Gdllkhdg.exe 41 PID 1268 wrote to memory of 2828 1268 Gdllkhdg.exe 41 PID 1268 wrote to memory of 2828 1268 Gdllkhdg.exe 41 PID 1268 wrote to memory of 2828 1268 Gdllkhdg.exe 41 PID 2828 wrote to memory of 868 2828 Gbomfe32.exe 42 PID 2828 wrote to memory of 868 2828 Gbomfe32.exe 42 PID 2828 wrote to memory of 868 2828 Gbomfe32.exe 42 PID 2828 wrote to memory of 868 2828 Gbomfe32.exe 42 PID 868 wrote to memory of 2232 868 Giieco32.exe 43 PID 868 wrote to memory of 2232 868 Giieco32.exe 43 PID 868 wrote to memory of 2232 868 Giieco32.exe 43 PID 868 wrote to memory of 2232 868 Giieco32.exe 43 PID 2232 wrote to memory of 2280 2232 Gmdadnkh.exe 44 PID 2232 wrote to memory of 2280 2232 Gmdadnkh.exe 44 PID 2232 wrote to memory of 2280 2232 Gmdadnkh.exe 44 PID 2232 wrote to memory of 2280 2232 Gmdadnkh.exe 44 PID 2280 wrote to memory of 684 2280 Gdniqh32.exe 45 PID 2280 wrote to memory of 684 2280 Gdniqh32.exe 45 PID 2280 wrote to memory of 684 2280 Gdniqh32.exe 45 PID 2280 wrote to memory of 684 2280 Gdniqh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c18c49e65443eedb6d2b87d5600b00N.exe"C:\Users\Admin\AppData\Local\Temp\f7c18c49e65443eedb6d2b87d5600b00N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe33⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe35⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe38⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe43⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe44⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe46⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe47⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe49⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe50⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe51⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe53⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe61⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe65⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe66⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe68⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe69⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe70⤵PID:2628
-
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe71⤵PID:580
-
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe72⤵PID:2016
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe73⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe74⤵PID:1980
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe75⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe77⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe78⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe79⤵PID:624
-
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe80⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe81⤵PID:2160
-
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe82⤵PID:108
-
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe83⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe85⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe87⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe89⤵PID:1612
-
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe91⤵PID:2052
-
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe92⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe93⤵PID:2152
-
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe94⤵PID:800
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe95⤵PID:1456
-
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe98⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe99⤵PID:2172
-
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe100⤵PID:2132
-
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe101⤵PID:2884
-
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe102⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe103⤵PID:1172
-
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe105⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe107⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe108⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe110⤵PID:572
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe111⤵PID:2168
-
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe112⤵PID:2188
-
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe113⤵PID:2012
-
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe115⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe116⤵PID:1708
-
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe117⤵PID:2964
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe120⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-