Analysis
-
max time kernel
84s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed67004646d20dd3973a4b3d6e782a20N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ed67004646d20dd3973a4b3d6e782a20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ed67004646d20dd3973a4b3d6e782a20N.exe
-
Size
52KB
-
MD5
ed67004646d20dd3973a4b3d6e782a20
-
SHA1
a3daa3ee029b03a0ec4bb648287d32b643510b1d
-
SHA256
f33917552b0c5686bf869b3a9cad1c6de013546875407c09d4dc5e85d7f8f13e
-
SHA512
736c5b32c65e3257e1726eaa341c0695599cf57c7d55cd7f78abee015d473bf15c2a9445bca39b31ef3bd23b457f2ff4628ea147336e9940be3ef22180bf15ce
-
SSDEEP
768:C5MT94l4e4BO7YfwnoXu+MFz+OGxcw1b66DTMFn8V/1H5F/sfMABvKWe:wyml454YfwZTIHl6vn8PWMAdKZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kloqiijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqajk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobjia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imqdcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfbmlckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflklaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomidgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbjbibli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qicoleno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihcakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmopepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhcdhmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbkabdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlngdhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbldbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdakoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhnpplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldknmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgcncli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpaidpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjpcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fialggcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlqpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngafdepl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfepfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbolge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklmoccl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlgaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhcokmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjcekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icponb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdkdjhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnonp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqkgbkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbiolnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchjjc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2992 Hjbhgolp.exe 2848 Imqdcjkd.exe 2792 Ilceog32.exe 2976 Iigehk32.exe 2844 Indnqb32.exe 1084 Iijbnkne.exe 1660 Iaegbmlq.exe 2332 Iilocklc.exe 772 Ijmkkc32.exe 2888 Iagchmjn.exe 1916 Ijphqbpo.exe 2076 Iaipmm32.exe 3064 Jjbdfbnl.exe 2120 Jalmcl32.exe 2256 Jhfepfme.exe 532 Janihlcf.exe 2168 Jfkbqcam.exe 1972 Jlhjijpe.exe 1764 Jbbbed32.exe 2016 Jepoao32.exe 2152 Jpfcohfk.exe 2404 Jbdokceo.exe 1920 Jhahcjcf.exe 2584 Kbflqccl.exe 2380 Kiqdmm32.exe 2840 Kommediq.exe 2656 Kaliaphd.exe 2700 Knbjgq32.exe 564 Kanfgofa.exe 2044 Kkfjpemb.exe 2424 Kneflplf.exe 2896 Kdooij32.exe 2972 Kgmkef32.exe 2472 Kjlgaa32.exe 840 Kabobo32.exe 980 Kdakoj32.exe 2836 Lgphke32.exe 2136 Lkkckdhm.exe 2244 Lnipgp32.exe 2012 Lphlck32.exe 3052 Lgbdpena.exe 868 Ljpqlqmd.exe 1532 Lomidgkl.exe 2620 Lgdafeln.exe 264 Ljbmbpkb.exe 1032 Loofjg32.exe 2624 Lbnbfb32.exe 2572 Ljejgp32.exe 2788 Lhhjcmpj.exe 2660 Lcmopepp.exe 2368 Lflklaoc.exe 752 Lhjghlng.exe 1640 Lkhcdhmk.exe 1256 Lodoefed.exe 2024 Mbbkabdh.exe 2748 Mdahnmck.exe 2376 Mgodjico.exe 2300 Mnilfc32.exe 1928 Mbehgabe.exe 2080 Mhopcl32.exe 2236 Mgaqohql.exe 696 Mjpmkdpp.exe 2280 Mnlilb32.exe 2476 Mdeaim32.exe -
Loads dropped DLL 64 IoCs
pid Process 2336 ed67004646d20dd3973a4b3d6e782a20N.exe 2336 ed67004646d20dd3973a4b3d6e782a20N.exe 2992 Hjbhgolp.exe 2992 Hjbhgolp.exe 2848 Imqdcjkd.exe 2848 Imqdcjkd.exe 2792 Ilceog32.exe 2792 Ilceog32.exe 2976 Iigehk32.exe 2976 Iigehk32.exe 2844 Indnqb32.exe 2844 Indnqb32.exe 1084 Iijbnkne.exe 1084 Iijbnkne.exe 1660 Iaegbmlq.exe 1660 Iaegbmlq.exe 2332 Iilocklc.exe 2332 Iilocklc.exe 772 Ijmkkc32.exe 772 Ijmkkc32.exe 2888 Iagchmjn.exe 2888 Iagchmjn.exe 1916 Ijphqbpo.exe 1916 Ijphqbpo.exe 2076 Iaipmm32.exe 2076 Iaipmm32.exe 3064 Jjbdfbnl.exe 3064 Jjbdfbnl.exe 2120 Jalmcl32.exe 2120 Jalmcl32.exe 2256 Jhfepfme.exe 2256 Jhfepfme.exe 532 Janihlcf.exe 532 Janihlcf.exe 2168 Jfkbqcam.exe 2168 Jfkbqcam.exe 1972 Jlhjijpe.exe 1972 Jlhjijpe.exe 1764 Jbbbed32.exe 1764 Jbbbed32.exe 2016 Jepoao32.exe 2016 Jepoao32.exe 2152 Jpfcohfk.exe 2152 Jpfcohfk.exe 2404 Jbdokceo.exe 2404 Jbdokceo.exe 1920 Jhahcjcf.exe 1920 Jhahcjcf.exe 2584 Kbflqccl.exe 2584 Kbflqccl.exe 3060 Kloqiijm.exe 3060 Kloqiijm.exe 2840 Kommediq.exe 2840 Kommediq.exe 2656 Kaliaphd.exe 2656 Kaliaphd.exe 2700 Knbjgq32.exe 2700 Knbjgq32.exe 564 Kanfgofa.exe 564 Kanfgofa.exe 2044 Kkfjpemb.exe 2044 Kkfjpemb.exe 2424 Kneflplf.exe 2424 Kneflplf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jalmcl32.exe Jjbdfbnl.exe File created C:\Windows\SysWOW64\Lphlck32.exe Lnipgp32.exe File created C:\Windows\SysWOW64\Lhjghlng.exe Lflklaoc.exe File created C:\Windows\SysWOW64\Mpdqih32.dll Bqciha32.exe File created C:\Windows\SysWOW64\Dgbgon32.exe Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Fcjqpm32.exe Fondonbc.exe File created C:\Windows\SysWOW64\Hjbhgolp.exe ed67004646d20dd3973a4b3d6e782a20N.exe File created C:\Windows\SysWOW64\Bbghmc32.dll Iigehk32.exe File opened for modification C:\Windows\SysWOW64\Gmbagf32.exe Gjcekj32.exe File opened for modification C:\Windows\SysWOW64\Mkelcenm.exe Mgjpcf32.exe File created C:\Windows\SysWOW64\Mqoocmcg.exe Mnpbgbdd.exe File opened for modification C:\Windows\SysWOW64\Bnemlf32.exe Bjjakg32.exe File opened for modification C:\Windows\SysWOW64\Dmalmdcg.exe Djcpqidc.exe File created C:\Windows\SysWOW64\Fkncac32.dll Dckdio32.exe File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Gcljdpke.exe File opened for modification C:\Windows\SysWOW64\Himkgf32.exe Hfookk32.exe File opened for modification C:\Windows\SysWOW64\Mnneabff.exe Mkpieggc.exe File created C:\Windows\SysWOW64\Flphccbp.exe Fialggcl.exe File created C:\Windows\SysWOW64\Lafekm32.exe Lccepqdo.exe File created C:\Windows\SysWOW64\Nhffikob.exe Nicfnn32.exe File created C:\Windows\SysWOW64\Jhlgnd32.exe Jemkai32.exe File opened for modification C:\Windows\SysWOW64\Keodflee.exe Kcahjqfa.exe File created C:\Windows\SysWOW64\Koedfbnf.dll Kcahjqfa.exe File opened for modification C:\Windows\SysWOW64\Nkjeod32.exe Nccmng32.exe File created C:\Windows\SysWOW64\Mcendc32.exe Mqgahh32.exe File created C:\Windows\SysWOW64\Hmdcof32.dll Nmkbfmpf.exe File created C:\Windows\SysWOW64\Gqemkl32.dll Nalnmahf.exe File created C:\Windows\SysWOW64\Imooak32.dll Omhhma32.exe File opened for modification C:\Windows\SysWOW64\Paqdgcfl.exe Pobgjhgh.exe File created C:\Windows\SysWOW64\Lgpbhg32.dll Hedllgjk.exe File created C:\Windows\SysWOW64\Jpnfdbig.exe Jhgnbehe.exe File created C:\Windows\SysWOW64\Cealdmqc.dll Lnmfpnqn.exe File opened for modification C:\Windows\SysWOW64\Dbcnpk32.exe Dpdbdo32.exe File created C:\Windows\SysWOW64\Jemkai32.exe Jocceo32.exe File created C:\Windows\SysWOW64\Gdbchd32.exe Gacgli32.exe File created C:\Windows\SysWOW64\Kocodbpk.exe Kldchgag.exe File created C:\Windows\SysWOW64\Ijphqbpo.exe Iagchmjn.exe File created C:\Windows\SysWOW64\Licpdaeg.dll Mmafmo32.exe File opened for modification C:\Windows\SysWOW64\Nmhlnngi.exe Njipabhe.exe File created C:\Windows\SysWOW64\Pkihpi32.exe Pihlhagn.exe File opened for modification C:\Windows\SysWOW64\Bhfhnofg.exe Bdklnq32.exe File opened for modification C:\Windows\SysWOW64\Eaangfjf.exe Eijffhjd.exe File created C:\Windows\SysWOW64\Fabkfhch.dll Mdeaim32.exe File created C:\Windows\SysWOW64\Gkaohl32.dll Alknnodh.exe File created C:\Windows\SysWOW64\Ebjldp32.dll Kbjbibli.exe File opened for modification C:\Windows\SysWOW64\Ngcbie32.exe Nplkhh32.exe File created C:\Windows\SysWOW64\Oepianef.exe Obamebfc.exe File opened for modification C:\Windows\SysWOW64\Lflklaoc.exe Lcmopepp.exe File created C:\Windows\SysWOW64\Ggppdpif.exe Gdbchd32.exe File opened for modification C:\Windows\SysWOW64\Kmpfgklo.exe Kkajkoml.exe File created C:\Windows\SysWOW64\Dhalelik.dll Omekgakg.exe File opened for modification C:\Windows\SysWOW64\Ghkbccdn.exe Gdpfbd32.exe File created C:\Windows\SysWOW64\Gnmdfi32.exe Gknhjn32.exe File created C:\Windows\SysWOW64\Benhai32.dll Hnlqemal.exe File opened for modification C:\Windows\SysWOW64\Ijhkembk.exe Igioiacg.exe File opened for modification C:\Windows\SysWOW64\Lolbjahp.exe Lgejidgn.exe File created C:\Windows\SysWOW64\Kommediq.exe Kloqiijm.exe File created C:\Windows\SysWOW64\Lgbdpena.exe Lphlck32.exe File opened for modification C:\Windows\SysWOW64\Afeold32.exe Anngkg32.exe File created C:\Windows\SysWOW64\Ofilmn32.dll Mdkcgk32.exe File opened for modification C:\Windows\SysWOW64\Indnqb32.exe Iigehk32.exe File created C:\Windows\SysWOW64\Ffecai32.dll Ljbmbpkb.exe File created C:\Windows\SysWOW64\Pmpnci32.dll Npdkdjhp.exe File created C:\Windows\SysWOW64\Nnnbqeib.exe Npkaei32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5392 5364 WerFault.exe 485 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoegoqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oicbma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnomkloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkajkoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deajlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflklaoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kneflplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknjidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niombolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnojjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqcaffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjofanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfkbeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lednal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhifmcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmiaknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolbjahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaangfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njobpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qicoleno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copljmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphqbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omekgakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfjpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfamko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agilkijf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklmoccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccaodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdcbjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbflqccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanfgofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddinn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebdmn32.dll" Ldikbhfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchgpap.dll" Njipabhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmljj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olobcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oclpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdofe32.dll" Bcbedm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnonp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkgjnac.dll" Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqgahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgcjqmc.dll" Nicfnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlekjqk.dll" Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maaqhfpj.dll" Hfmbfkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlnbmikh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acplpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll" Nkjeod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnhahoi.dll" Ojlife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfqak32.dll" Kabobo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpiombe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmjmenh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hefibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll" Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdcof32.dll" Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnilfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajoaoj32.dll" Nbgakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlkmo32.dll" Gknhjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndlamke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkomepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkhhie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpmbjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkelj32.dll" Phabdmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamkpm32.dll" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkbqcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhjghlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geeqlobc.dll" Phoeomjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agilkijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfghagio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2992 2336 ed67004646d20dd3973a4b3d6e782a20N.exe 29 PID 2336 wrote to memory of 2992 2336 ed67004646d20dd3973a4b3d6e782a20N.exe 29 PID 2336 wrote to memory of 2992 2336 ed67004646d20dd3973a4b3d6e782a20N.exe 29 PID 2336 wrote to memory of 2992 2336 ed67004646d20dd3973a4b3d6e782a20N.exe 29 PID 2992 wrote to memory of 2848 2992 Hjbhgolp.exe 30 PID 2992 wrote to memory of 2848 2992 Hjbhgolp.exe 30 PID 2992 wrote to memory of 2848 2992 Hjbhgolp.exe 30 PID 2992 wrote to memory of 2848 2992 Hjbhgolp.exe 30 PID 2848 wrote to memory of 2792 2848 Imqdcjkd.exe 31 PID 2848 wrote to memory of 2792 2848 Imqdcjkd.exe 31 PID 2848 wrote to memory of 2792 2848 Imqdcjkd.exe 31 PID 2848 wrote to memory of 2792 2848 Imqdcjkd.exe 31 PID 2792 wrote to memory of 2976 2792 Ilceog32.exe 32 PID 2792 wrote to memory of 2976 2792 Ilceog32.exe 32 PID 2792 wrote to memory of 2976 2792 Ilceog32.exe 32 PID 2792 wrote to memory of 2976 2792 Ilceog32.exe 32 PID 2976 wrote to memory of 2844 2976 Iigehk32.exe 33 PID 2976 wrote to memory of 2844 2976 Iigehk32.exe 33 PID 2976 wrote to memory of 2844 2976 Iigehk32.exe 33 PID 2976 wrote to memory of 2844 2976 Iigehk32.exe 33 PID 2844 wrote to memory of 1084 2844 Indnqb32.exe 34 PID 2844 wrote to memory of 1084 2844 Indnqb32.exe 34 PID 2844 wrote to memory of 1084 2844 Indnqb32.exe 34 PID 2844 wrote to memory of 1084 2844 Indnqb32.exe 34 PID 1084 wrote to memory of 1660 1084 Iijbnkne.exe 35 PID 1084 wrote to memory of 1660 1084 Iijbnkne.exe 35 PID 1084 wrote to memory of 1660 1084 Iijbnkne.exe 35 PID 1084 wrote to memory of 1660 1084 Iijbnkne.exe 35 PID 1660 wrote to memory of 2332 1660 Iaegbmlq.exe 36 PID 1660 wrote to memory of 2332 1660 Iaegbmlq.exe 36 PID 1660 wrote to memory of 2332 1660 Iaegbmlq.exe 36 PID 1660 wrote to memory of 2332 1660 Iaegbmlq.exe 36 PID 2332 wrote to memory of 772 2332 Iilocklc.exe 37 PID 2332 wrote to memory of 772 2332 Iilocklc.exe 37 PID 2332 wrote to memory of 772 2332 Iilocklc.exe 37 PID 2332 wrote to memory of 772 2332 Iilocklc.exe 37 PID 772 wrote to memory of 2888 772 Ijmkkc32.exe 38 PID 772 wrote to memory of 2888 772 Ijmkkc32.exe 38 PID 772 wrote to memory of 2888 772 Ijmkkc32.exe 38 PID 772 wrote to memory of 2888 772 Ijmkkc32.exe 38 PID 2888 wrote to memory of 1916 2888 Iagchmjn.exe 39 PID 2888 wrote to memory of 1916 2888 Iagchmjn.exe 39 PID 2888 wrote to memory of 1916 2888 Iagchmjn.exe 39 PID 2888 wrote to memory of 1916 2888 Iagchmjn.exe 39 PID 1916 wrote to memory of 2076 1916 Ijphqbpo.exe 40 PID 1916 wrote to memory of 2076 1916 Ijphqbpo.exe 40 PID 1916 wrote to memory of 2076 1916 Ijphqbpo.exe 40 PID 1916 wrote to memory of 2076 1916 Ijphqbpo.exe 40 PID 2076 wrote to memory of 3064 2076 Iaipmm32.exe 41 PID 2076 wrote to memory of 3064 2076 Iaipmm32.exe 41 PID 2076 wrote to memory of 3064 2076 Iaipmm32.exe 41 PID 2076 wrote to memory of 3064 2076 Iaipmm32.exe 41 PID 3064 wrote to memory of 2120 3064 Jjbdfbnl.exe 42 PID 3064 wrote to memory of 2120 3064 Jjbdfbnl.exe 42 PID 3064 wrote to memory of 2120 3064 Jjbdfbnl.exe 42 PID 3064 wrote to memory of 2120 3064 Jjbdfbnl.exe 42 PID 2120 wrote to memory of 2256 2120 Jalmcl32.exe 43 PID 2120 wrote to memory of 2256 2120 Jalmcl32.exe 43 PID 2120 wrote to memory of 2256 2120 Jalmcl32.exe 43 PID 2120 wrote to memory of 2256 2120 Jalmcl32.exe 43 PID 2256 wrote to memory of 532 2256 Jhfepfme.exe 44 PID 2256 wrote to memory of 532 2256 Jhfepfme.exe 44 PID 2256 wrote to memory of 532 2256 Jhfepfme.exe 44 PID 2256 wrote to memory of 532 2256 Jhfepfme.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed67004646d20dd3973a4b3d6e782a20N.exe"C:\Users\Admin\AppData\Local\Temp\ed67004646d20dd3973a4b3d6e782a20N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Jjbdfbnl.exeC:\Windows\system32\Jjbdfbnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe34⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe35⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe39⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe40⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe43⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe44⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe46⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe48⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe50⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe56⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe58⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe59⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe61⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe64⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe67⤵PID:1668
-
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe68⤵
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe69⤵PID:1816
-
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe70⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe71⤵PID:3024
-
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe72⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe73⤵PID:2724
-
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe74⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe75⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe76⤵PID:2316
-
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe77⤵PID:3020
-
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe78⤵PID:2144
-
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe79⤵PID:2112
-
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe84⤵
- System Location Discovery: System Language Discovery
PID:648 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe85⤵PID:1172
-
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe88⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe89⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe90⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe92⤵PID:2176
-
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe93⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe94⤵PID:2060
-
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe95⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe97⤵PID:1600
-
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe98⤵PID:2740
-
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe99⤵PID:2428
-
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe101⤵PID:2940
-
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe102⤵PID:2796
-
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe104⤵PID:1044
-
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe105⤵PID:3008
-
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe107⤵PID:1436
-
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe109⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe110⤵PID:820
-
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe111⤵PID:2036
-
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe113⤵PID:2824
-
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe114⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe115⤵PID:2104
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe116⤵PID:2128
-
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe118⤵PID:316
-
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe119⤵PID:848
-
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe120⤵PID:1092
-
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe121⤵PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-