Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 01:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe
-
Size
60KB
-
MD5
44cf97c3f1bffc6d4b297a556b6b8f64
-
SHA1
c79056ae7ac03ddb3bb27a2d39e0ffd011bb34da
-
SHA256
a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44
-
SHA512
c84a19700bf0c23b2fc1f90bf2b48e51c3cbb076a48bbb983fa5c502c080c61f0374613c406789987e2069bc8a3d9cd7b2bcf73a66afe33fe4962e119133a173
-
SSDEEP
1536:Dm9H0kdUP/Mom1TqricuNLwM6EZypB86l1rs:GHxdUXJm1G0y5pB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kconkibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaloddnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmfea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odeiibdq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipllekdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qodlkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkglameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohhgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leimip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piekcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmagdbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmefooki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcpie32.exe -
Executes dropped EXE 64 IoCs
pid Process 2916 Igakgfpn.exe 2576 Inkccpgk.exe 2056 Iompkh32.exe 2780 Iheddndj.exe 2608 Ipllekdl.exe 2628 Iamimc32.exe 2512 Ijdqna32.exe 2952 Ikfmfi32.exe 332 Iapebchh.exe 644 Idnaoohk.exe 2008 Ikhjki32.exe 2276 Jnffgd32.exe 1704 Jdpndnei.exe 620 Jgojpjem.exe 1948 Jnicmdli.exe 1756 Jqgoiokm.exe 3044 Jhngjmlo.exe 2900 Jkmcfhkc.exe 2532 Jbgkcb32.exe 1092 Jdehon32.exe 3032 Jgcdki32.exe 988 Jjbpgd32.exe 1324 Jqlhdo32.exe 1744 Jcjdpj32.exe 1640 Jfiale32.exe 1912 Jjdmmdnh.exe 2836 Jmbiipml.exe 1708 Jghmfhmb.exe 2648 Kmefooki.exe 2376 Kconkibf.exe 2624 Kconkibf.exe 2820 Kfmjgeaj.exe 2816 Kmgbdo32.exe 2504 Kcakaipc.exe 2972 Kfpgmdog.exe 1096 Kincipnk.exe 1144 Kklpekno.exe 556 Knklagmb.exe 1992 Kfbcbd32.exe 1132 Kiqpop32.exe 1716 Knmhgf32.exe 1728 Kbidgeci.exe 2316 Kegqdqbl.exe 1968 Kgemplap.exe 2844 Kjdilgpc.exe 2368 Leimip32.exe 2476 Lghjel32.exe 888 Ljffag32.exe 1140 Lapnnafn.exe 772 Leljop32.exe 1552 Lfmffhde.exe 896 Lmgocb32.exe 2416 Lcagpl32.exe 2984 Lgmcqkkh.exe 496 Lmikibio.exe 2752 Lphhenhc.exe 2792 Lfbpag32.exe 1028 Ljmlbfhi.exe 2556 Lmlhnagm.exe 2388 Lcfqkl32.exe 1492 Lbiqfied.exe 340 Libicbma.exe 1700 Mmneda32.exe 848 Mlaeonld.exe -
Loads dropped DLL 64 IoCs
pid Process 1852 a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe 1852 a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe 2916 Igakgfpn.exe 2916 Igakgfpn.exe 2576 Inkccpgk.exe 2576 Inkccpgk.exe 2056 Iompkh32.exe 2056 Iompkh32.exe 2780 Iheddndj.exe 2780 Iheddndj.exe 2608 Ipllekdl.exe 2608 Ipllekdl.exe 2628 Iamimc32.exe 2628 Iamimc32.exe 2512 Ijdqna32.exe 2512 Ijdqna32.exe 2952 Ikfmfi32.exe 2952 Ikfmfi32.exe 332 Iapebchh.exe 332 Iapebchh.exe 644 Idnaoohk.exe 644 Idnaoohk.exe 2008 Ikhjki32.exe 2008 Ikhjki32.exe 2276 Jnffgd32.exe 2276 Jnffgd32.exe 1704 Jdpndnei.exe 1704 Jdpndnei.exe 620 Jgojpjem.exe 620 Jgojpjem.exe 1948 Jnicmdli.exe 1948 Jnicmdli.exe 1756 Jqgoiokm.exe 1756 Jqgoiokm.exe 3044 Jhngjmlo.exe 3044 Jhngjmlo.exe 2900 Jkmcfhkc.exe 2900 Jkmcfhkc.exe 2532 Jbgkcb32.exe 2532 Jbgkcb32.exe 1092 Jdehon32.exe 1092 Jdehon32.exe 3032 Jgcdki32.exe 3032 Jgcdki32.exe 988 Jjbpgd32.exe 988 Jjbpgd32.exe 1324 Jqlhdo32.exe 1324 Jqlhdo32.exe 1744 Jcjdpj32.exe 1744 Jcjdpj32.exe 1640 Jfiale32.exe 1640 Jfiale32.exe 1912 Jjdmmdnh.exe 1912 Jjdmmdnh.exe 2836 Jmbiipml.exe 2836 Jmbiipml.exe 1708 Jghmfhmb.exe 1708 Jghmfhmb.exe 2648 Kmefooki.exe 2648 Kmefooki.exe 2376 Kconkibf.exe 2376 Kconkibf.exe 2624 Kconkibf.exe 2624 Kconkibf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mffimglk.exe File created C:\Windows\SysWOW64\Mabgcd32.exe Modkfi32.exe File created C:\Windows\SysWOW64\Mfkbpc32.dll Oeeecekc.exe File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe Bmclhi32.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Diceon32.dll Mpjqiq32.exe File opened for modification C:\Windows\SysWOW64\Qiladcdh.exe Qqeicede.exe File created C:\Windows\SysWOW64\Mdqfkmom.dll Bfkpqn32.exe File created C:\Windows\SysWOW64\Fpbche32.dll Qqeicede.exe File opened for modification C:\Windows\SysWOW64\Kfpgmdog.exe Kcakaipc.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Kfbcbd32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Libicbma.exe File created C:\Windows\SysWOW64\Egnhob32.dll Naimccpo.exe File opened for modification C:\Windows\SysWOW64\Ngfflj32.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Oghopm32.exe Odjbdb32.exe File opened for modification C:\Windows\SysWOW64\Oqcpob32.exe Oappcfmb.exe File created C:\Windows\SysWOW64\Bbgnak32.exe Bphbeplm.exe File created C:\Windows\SysWOW64\Bmhideol.exe Aeqabgoj.exe File created C:\Windows\SysWOW64\Kmefooki.exe Jghmfhmb.exe File opened for modification C:\Windows\SysWOW64\Mkklljmg.exe Mhloponc.exe File opened for modification C:\Windows\SysWOW64\Ohaeia32.exe Odeiibdq.exe File opened for modification C:\Windows\SysWOW64\Pfbelipa.exe Pcdipnqn.exe File created C:\Windows\SysWOW64\Paenhpdh.dll Pqjfoa32.exe File created C:\Windows\SysWOW64\Aipheffp.dll Pdlkiepd.exe File created C:\Windows\SysWOW64\Ejaekc32.dll Qiladcdh.exe File opened for modification C:\Windows\SysWOW64\Chkmkacq.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Pjpnbg32.exe Pcfefmnk.exe File opened for modification C:\Windows\SysWOW64\Piekcd32.exe Pfgngh32.exe File created C:\Windows\SysWOW64\Lapefgai.dll Pfgngh32.exe File created C:\Windows\SysWOW64\Aeqmqeba.dll Poapfn32.exe File created C:\Windows\SysWOW64\Aaheie32.exe Aniimjbo.exe File created C:\Windows\SysWOW64\Mhpeoj32.dll Amqccfed.exe File created C:\Windows\SysWOW64\Amelne32.exe Ajgpbj32.exe File created C:\Windows\SysWOW64\Cilibi32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Ilfila32.dll Pckoam32.exe File created C:\Windows\SysWOW64\Lmpanl32.dll Aeqabgoj.exe File created C:\Windows\SysWOW64\Bhfcpb32.exe Behgcf32.exe File created C:\Windows\SysWOW64\Ikhjki32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Jnicmdli.exe Jgojpjem.exe File created C:\Windows\SysWOW64\Jfiale32.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Jmbckb32.dll Ndjfeo32.exe File created C:\Windows\SysWOW64\Ngkogj32.exe Nodgel32.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Amcpie32.exe File created C:\Windows\SysWOW64\Koldhi32.dll Amelne32.exe File opened for modification C:\Windows\SysWOW64\Jcjdpj32.exe Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Jmbiipml.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Leimip32.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Jhcfhi32.dll Libicbma.exe File created C:\Windows\SysWOW64\Ajdlmi32.dll Mffimglk.exe File created C:\Windows\SysWOW64\Ndhipoob.exe Naimccpo.exe File opened for modification C:\Windows\SysWOW64\Oagmmgdm.exe Oohqqlei.exe File opened for modification C:\Windows\SysWOW64\Jghmfhmb.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Hkeapk32.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Kbelde32.dll Lbiqfied.exe File created C:\Windows\SysWOW64\Oilpcd32.dll Ajecmj32.exe File created C:\Windows\SysWOW64\Afnagk32.exe Abbeflpf.exe File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe Biojif32.exe File created C:\Windows\SysWOW64\Cjnolikh.dll Bejdiffp.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Lghjel32.exe File created C:\Windows\SysWOW64\Almjnp32.dll Mlaeonld.exe File created C:\Windows\SysWOW64\Fnqkpajk.dll Mdacop32.exe File created C:\Windows\SysWOW64\Oackeakj.dll Nhllob32.exe File opened for modification C:\Windows\SysWOW64\Pqhijbog.exe Pmlmic32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3908 3876 WerFault.exe 249 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmldme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becnhgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbidgeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlhnagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfqkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalfhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmagdbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibebfpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mieeibkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maedhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljddpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcfefmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbiqfied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkmkacq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcakaipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picnndmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjbjopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmffhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlaeonld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcaoajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaolidlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhohda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okanklik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oappcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knklagmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeohnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aecaidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdhjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biojif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdehon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnfnfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amelne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmefooki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcagpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcibkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbggjfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdilgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhllob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beejng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajbne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhaikn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpjakhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklpekno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphhenhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqccfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeimhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdmmdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leljop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeeecekc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll" Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfikmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhideol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmfea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll" Qiladcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcibkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlaeonld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll" Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Jmbiipml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll" Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhohda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaofqdkb.dll" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll" Biojif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" Bmeimhdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll" Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhaikn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqjfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjqiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" Lmikibio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" Kklpekno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcbenjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll" Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll" a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll" Agfgqo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2916 1852 a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe 28 PID 1852 wrote to memory of 2916 1852 a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe 28 PID 1852 wrote to memory of 2916 1852 a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe 28 PID 1852 wrote to memory of 2916 1852 a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe 28 PID 2916 wrote to memory of 2576 2916 Igakgfpn.exe 29 PID 2916 wrote to memory of 2576 2916 Igakgfpn.exe 29 PID 2916 wrote to memory of 2576 2916 Igakgfpn.exe 29 PID 2916 wrote to memory of 2576 2916 Igakgfpn.exe 29 PID 2576 wrote to memory of 2056 2576 Inkccpgk.exe 30 PID 2576 wrote to memory of 2056 2576 Inkccpgk.exe 30 PID 2576 wrote to memory of 2056 2576 Inkccpgk.exe 30 PID 2576 wrote to memory of 2056 2576 Inkccpgk.exe 30 PID 2056 wrote to memory of 2780 2056 Iompkh32.exe 31 PID 2056 wrote to memory of 2780 2056 Iompkh32.exe 31 PID 2056 wrote to memory of 2780 2056 Iompkh32.exe 31 PID 2056 wrote to memory of 2780 2056 Iompkh32.exe 31 PID 2780 wrote to memory of 2608 2780 Iheddndj.exe 32 PID 2780 wrote to memory of 2608 2780 Iheddndj.exe 32 PID 2780 wrote to memory of 2608 2780 Iheddndj.exe 32 PID 2780 wrote to memory of 2608 2780 Iheddndj.exe 32 PID 2608 wrote to memory of 2628 2608 Ipllekdl.exe 33 PID 2608 wrote to memory of 2628 2608 Ipllekdl.exe 33 PID 2608 wrote to memory of 2628 2608 Ipllekdl.exe 33 PID 2608 wrote to memory of 2628 2608 Ipllekdl.exe 33 PID 2628 wrote to memory of 2512 2628 Iamimc32.exe 34 PID 2628 wrote to memory of 2512 2628 Iamimc32.exe 34 PID 2628 wrote to memory of 2512 2628 Iamimc32.exe 34 PID 2628 wrote to memory of 2512 2628 Iamimc32.exe 34 PID 2512 wrote to memory of 2952 2512 Ijdqna32.exe 35 PID 2512 wrote to memory of 2952 2512 Ijdqna32.exe 35 PID 2512 wrote to memory of 2952 2512 Ijdqna32.exe 35 PID 2512 wrote to memory of 2952 2512 Ijdqna32.exe 35 PID 2952 wrote to memory of 332 2952 Ikfmfi32.exe 36 PID 2952 wrote to memory of 332 2952 Ikfmfi32.exe 36 PID 2952 wrote to memory of 332 2952 Ikfmfi32.exe 36 PID 2952 wrote to memory of 332 2952 Ikfmfi32.exe 36 PID 332 wrote to memory of 644 332 Iapebchh.exe 37 PID 332 wrote to memory of 644 332 Iapebchh.exe 37 PID 332 wrote to memory of 644 332 Iapebchh.exe 37 PID 332 wrote to memory of 644 332 Iapebchh.exe 37 PID 644 wrote to memory of 2008 644 Idnaoohk.exe 38 PID 644 wrote to memory of 2008 644 Idnaoohk.exe 38 PID 644 wrote to memory of 2008 644 Idnaoohk.exe 38 PID 644 wrote to memory of 2008 644 Idnaoohk.exe 38 PID 2008 wrote to memory of 2276 2008 Ikhjki32.exe 39 PID 2008 wrote to memory of 2276 2008 Ikhjki32.exe 39 PID 2008 wrote to memory of 2276 2008 Ikhjki32.exe 39 PID 2008 wrote to memory of 2276 2008 Ikhjki32.exe 39 PID 2276 wrote to memory of 1704 2276 Jnffgd32.exe 40 PID 2276 wrote to memory of 1704 2276 Jnffgd32.exe 40 PID 2276 wrote to memory of 1704 2276 Jnffgd32.exe 40 PID 2276 wrote to memory of 1704 2276 Jnffgd32.exe 40 PID 1704 wrote to memory of 620 1704 Jdpndnei.exe 41 PID 1704 wrote to memory of 620 1704 Jdpndnei.exe 41 PID 1704 wrote to memory of 620 1704 Jdpndnei.exe 41 PID 1704 wrote to memory of 620 1704 Jdpndnei.exe 41 PID 620 wrote to memory of 1948 620 Jgojpjem.exe 42 PID 620 wrote to memory of 1948 620 Jgojpjem.exe 42 PID 620 wrote to memory of 1948 620 Jgojpjem.exe 42 PID 620 wrote to memory of 1948 620 Jgojpjem.exe 42 PID 1948 wrote to memory of 1756 1948 Jnicmdli.exe 43 PID 1948 wrote to memory of 1756 1948 Jnicmdli.exe 43 PID 1948 wrote to memory of 1756 1948 Jnicmdli.exe 43 PID 1948 wrote to memory of 1756 1948 Jnicmdli.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe"C:\Users\Admin\AppData\Local\Temp\a55dea35f706a92013175074e2b52f6c1e5680368718d8195e253c54e87f1f44.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe34⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe36⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe50⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe59⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe64⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe67⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe68⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe71⤵PID:924
-
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe72⤵PID:1192
-
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe74⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe75⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe78⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe79⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe80⤵PID:2660
-
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe81⤵PID:536
-
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe82⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe84⤵PID:1720
-
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe85⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe87⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe88⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe90⤵PID:836
-
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe91⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe92⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe93⤵PID:2364
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe95⤵PID:2748
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe96⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe99⤵PID:1040
-
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe101⤵PID:2272
-
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe102⤵PID:1788
-
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe103⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe104⤵PID:2888
-
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe107⤵PID:2380
-
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe109⤵PID:3048
-
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe111⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe112⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe113⤵PID:1844
-
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe118⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe119⤵
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe120⤵PID:1520
-
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe121⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-