Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 00:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
033011ce620a1bc4d5b52f902bc51510N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
033011ce620a1bc4d5b52f902bc51510N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
033011ce620a1bc4d5b52f902bc51510N.exe
-
Size
265KB
-
MD5
033011ce620a1bc4d5b52f902bc51510
-
SHA1
c6c001e2e6c0426a78ddd9ea31b524b018fda4bd
-
SHA256
5ac6e8633506a289d91bb30c99c23cad095d6be6679fd8f023747eb9a330ac1f
-
SHA512
a1ea7add248c985bfe27fd3e15ae79511ac9eb63a50e426350d6d9409739e78616cefd2e42625cfda06a9d30c2da32499aee7d57769b3bcf685773deb2763119
-
SSDEEP
6144:16tX+Y5bGBhATLp103ETiZ0moGP/2dga1mcyw7I:16tObYpScXwuR1mK7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgqocoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffbdadk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cinafkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffodjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lclicpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omklkkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opihgfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imahkg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 Elipgofb.exe 320 Ecbhdi32.exe 2764 Eecafd32.exe 2892 Fjegog32.exe 2956 Fjhcegll.exe 2804 Ffodjh32.exe 2688 Fhomkcoa.exe 2292 Gjojef32.exe 1732 Ghdgfbkl.exe 2836 Gifclb32.exe 1992 Gkephn32.exe 1864 Gepafc32.exe 2096 Hcdnhoac.exe 2596 Hfegij32.exe 1756 Hblgnkdh.exe 1064 Hcldhnkk.exe 380 Ihniaa32.exe 1620 Idgglb32.exe 1296 Ijqoilii.exe 3060 Ijclol32.exe 2444 Imahkg32.exe 2544 Jpbalb32.exe 2448 Jbqmhnbo.exe 2720 Jeafjiop.exe 288 Jlkngc32.exe 484 Jhbold32.exe 2296 Jpigma32.exe 2936 Jondnnbk.exe 2752 Kkeecogo.exe 3008 Koaqcn32.exe 2640 Kncaojfb.exe 1124 Kaajei32.exe 680 Kgqocoin.exe 2736 Kjokokha.exe 2864 Knkgpi32.exe 2880 Kpicle32.exe 1944 Lclicpkm.exe 1672 Lfkeokjp.exe 1700 Lhiakf32.exe 2364 Lcofio32.exe 2828 Lkjjma32.exe 700 Ldbofgme.exe 1092 Lohccp32.exe 1636 Lbfook32.exe 1468 Lgchgb32.exe 596 Mbhlek32.exe 1876 Mcjhmcok.exe 2476 Mdiefffn.exe 896 Mfjann32.exe 1520 Mjhjdm32.exe 2332 Mqbbagjo.exe 2932 Mfokinhf.exe 2672 Mimgeigj.exe 2632 Nfahomfd.exe 2712 Nedhjj32.exe 2340 Nlnpgd32.exe 1256 Nnmlcp32.exe 2024 Nbhhdnlh.exe 1948 Nbjeinje.exe 2496 Nidmfh32.exe 3056 Nlcibc32.exe 1032 Njfjnpgp.exe 2200 Nbmaon32.exe 2212 Napbjjom.exe -
Loads dropped DLL 64 IoCs
pid Process 1644 033011ce620a1bc4d5b52f902bc51510N.exe 1644 033011ce620a1bc4d5b52f902bc51510N.exe 2972 Elipgofb.exe 2972 Elipgofb.exe 320 Ecbhdi32.exe 320 Ecbhdi32.exe 2764 Eecafd32.exe 2764 Eecafd32.exe 2892 Fjegog32.exe 2892 Fjegog32.exe 2956 Fjhcegll.exe 2956 Fjhcegll.exe 2804 Ffodjh32.exe 2804 Ffodjh32.exe 2688 Fhomkcoa.exe 2688 Fhomkcoa.exe 2292 Gjojef32.exe 2292 Gjojef32.exe 1732 Ghdgfbkl.exe 1732 Ghdgfbkl.exe 2836 Gifclb32.exe 2836 Gifclb32.exe 1992 Gkephn32.exe 1992 Gkephn32.exe 1864 Gepafc32.exe 1864 Gepafc32.exe 2096 Hcdnhoac.exe 2096 Hcdnhoac.exe 2596 Hfegij32.exe 2596 Hfegij32.exe 1756 Hblgnkdh.exe 1756 Hblgnkdh.exe 1064 Hcldhnkk.exe 1064 Hcldhnkk.exe 380 Ihniaa32.exe 380 Ihniaa32.exe 1620 Idgglb32.exe 1620 Idgglb32.exe 1296 Ijqoilii.exe 1296 Ijqoilii.exe 3060 Ijclol32.exe 3060 Ijclol32.exe 2444 Imahkg32.exe 2444 Imahkg32.exe 2544 Jpbalb32.exe 2544 Jpbalb32.exe 2448 Jbqmhnbo.exe 2448 Jbqmhnbo.exe 2720 Jeafjiop.exe 2720 Jeafjiop.exe 288 Jlkngc32.exe 288 Jlkngc32.exe 484 Jhbold32.exe 484 Jhbold32.exe 2296 Jpigma32.exe 2296 Jpigma32.exe 2936 Jondnnbk.exe 2936 Jondnnbk.exe 2752 Kkeecogo.exe 2752 Kkeecogo.exe 3008 Koaqcn32.exe 3008 Koaqcn32.exe 2640 Kncaojfb.exe 2640 Kncaojfb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbbpenco.exe Bnfddp32.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Hfdoodan.dll Jbqmhnbo.exe File created C:\Windows\SysWOW64\Pdlmgo32.dll Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Obmnna32.exe File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jpbalb32.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bffbdadk.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Coacbfii.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hcdnhoac.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cbblda32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cinafkkd.exe File created C:\Windows\SysWOW64\Kqojbd32.dll Hfegij32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bffbdadk.exe File created C:\Windows\SysWOW64\Abpcooea.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Pijjilik.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Cbpdaj32.dll Fjhcegll.exe File opened for modification C:\Windows\SysWOW64\Ppnnai32.exe Pmpbdm32.exe File opened for modification C:\Windows\SysWOW64\Ahebaiac.exe Aakjdo32.exe File created C:\Windows\SysWOW64\Pbjdnlob.dll Imahkg32.exe File created C:\Windows\SysWOW64\Gchfle32.dll Jeafjiop.exe File opened for modification C:\Windows\SysWOW64\Koaqcn32.exe Kkeecogo.exe File created C:\Windows\SysWOW64\Pepcelel.exe Pkjphcff.exe File created C:\Windows\SysWOW64\Bffbdadk.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Olebgfao.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Jendoajo.dll Aakjdo32.exe File created C:\Windows\SysWOW64\Kmapmi32.dll Bgllgedi.exe File created C:\Windows\SysWOW64\Ciffggmh.dll Mdiefffn.exe File opened for modification C:\Windows\SysWOW64\Bjpaop32.exe Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Jbqmhnbo.exe Jpbalb32.exe File created C:\Windows\SysWOW64\Jpigma32.exe Jhbold32.exe File opened for modification C:\Windows\SysWOW64\Lohccp32.exe Ldbofgme.exe File created C:\Windows\SysWOW64\Doempm32.dll Kkeecogo.exe File created C:\Windows\SysWOW64\Bigkel32.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Pghfnc32.exe Ppnnai32.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Ghdgfbkl.exe Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Gepafc32.exe Gkephn32.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Kaajei32.exe File opened for modification C:\Windows\SysWOW64\Mfokinhf.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Calcpm32.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Ohncbdbd.exe Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Oplelf32.exe Omnipjni.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Abpcooea.exe File created C:\Windows\SysWOW64\Ednoihel.dll Ckhdggom.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Lkjjma32.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Ahebaiac.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Moanlj32.dll Ecbhdi32.exe File created C:\Windows\SysWOW64\Jondnnbk.exe Jpigma32.exe File created C:\Windows\SysWOW64\Mjhjdm32.exe Mfjann32.exe File created C:\Windows\SysWOW64\Mcjhmcok.exe Mbhlek32.exe File created C:\Windows\SysWOW64\Ljamki32.dll Qcachc32.exe File opened for modification C:\Windows\SysWOW64\Bmlael32.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pghfnc32.exe File created C:\Windows\SysWOW64\Nabopjmj.exe Njhfcp32.exe File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe Coacbfii.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lohccp32.exe File created C:\Windows\SysWOW64\Fhomkcoa.exe Ffodjh32.exe File created C:\Windows\SysWOW64\Doohmk32.dll Fhomkcoa.exe File created C:\Windows\SysWOW64\Qchaehnb.dll Lhiakf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1988 1660 WerFault.exe 178 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 033011ce620a1bc4d5b52f902bc51510N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcldhnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfokinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" Alqnah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" Qjklenpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckhdggom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jbqmhnbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lohccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicapn32.dll" 033011ce620a1bc4d5b52f902bc51510N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgibphb.dll" Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeheknp.dll" Nedhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeindm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Coacbfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpicle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhjjgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppnnai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 033011ce620a1bc4d5b52f902bc51510N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldbofgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 033011ce620a1bc4d5b52f902bc51510N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Napbjjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oococb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbjeinje.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2972 1644 033011ce620a1bc4d5b52f902bc51510N.exe 30 PID 1644 wrote to memory of 2972 1644 033011ce620a1bc4d5b52f902bc51510N.exe 30 PID 1644 wrote to memory of 2972 1644 033011ce620a1bc4d5b52f902bc51510N.exe 30 PID 1644 wrote to memory of 2972 1644 033011ce620a1bc4d5b52f902bc51510N.exe 30 PID 2972 wrote to memory of 320 2972 Elipgofb.exe 31 PID 2972 wrote to memory of 320 2972 Elipgofb.exe 31 PID 2972 wrote to memory of 320 2972 Elipgofb.exe 31 PID 2972 wrote to memory of 320 2972 Elipgofb.exe 31 PID 320 wrote to memory of 2764 320 Ecbhdi32.exe 32 PID 320 wrote to memory of 2764 320 Ecbhdi32.exe 32 PID 320 wrote to memory of 2764 320 Ecbhdi32.exe 32 PID 320 wrote to memory of 2764 320 Ecbhdi32.exe 32 PID 2764 wrote to memory of 2892 2764 Eecafd32.exe 33 PID 2764 wrote to memory of 2892 2764 Eecafd32.exe 33 PID 2764 wrote to memory of 2892 2764 Eecafd32.exe 33 PID 2764 wrote to memory of 2892 2764 Eecafd32.exe 33 PID 2892 wrote to memory of 2956 2892 Fjegog32.exe 34 PID 2892 wrote to memory of 2956 2892 Fjegog32.exe 34 PID 2892 wrote to memory of 2956 2892 Fjegog32.exe 34 PID 2892 wrote to memory of 2956 2892 Fjegog32.exe 34 PID 2956 wrote to memory of 2804 2956 Fjhcegll.exe 35 PID 2956 wrote to memory of 2804 2956 Fjhcegll.exe 35 PID 2956 wrote to memory of 2804 2956 Fjhcegll.exe 35 PID 2956 wrote to memory of 2804 2956 Fjhcegll.exe 35 PID 2804 wrote to memory of 2688 2804 Ffodjh32.exe 36 PID 2804 wrote to memory of 2688 2804 Ffodjh32.exe 36 PID 2804 wrote to memory of 2688 2804 Ffodjh32.exe 36 PID 2804 wrote to memory of 2688 2804 Ffodjh32.exe 36 PID 2688 wrote to memory of 2292 2688 Fhomkcoa.exe 37 PID 2688 wrote to memory of 2292 2688 Fhomkcoa.exe 37 PID 2688 wrote to memory of 2292 2688 Fhomkcoa.exe 37 PID 2688 wrote to memory of 2292 2688 Fhomkcoa.exe 37 PID 2292 wrote to memory of 1732 2292 Gjojef32.exe 38 PID 2292 wrote to memory of 1732 2292 Gjojef32.exe 38 PID 2292 wrote to memory of 1732 2292 Gjojef32.exe 38 PID 2292 wrote to memory of 1732 2292 Gjojef32.exe 38 PID 1732 wrote to memory of 2836 1732 Ghdgfbkl.exe 39 PID 1732 wrote to memory of 2836 1732 Ghdgfbkl.exe 39 PID 1732 wrote to memory of 2836 1732 Ghdgfbkl.exe 39 PID 1732 wrote to memory of 2836 1732 Ghdgfbkl.exe 39 PID 2836 wrote to memory of 1992 2836 Gifclb32.exe 40 PID 2836 wrote to memory of 1992 2836 Gifclb32.exe 40 PID 2836 wrote to memory of 1992 2836 Gifclb32.exe 40 PID 2836 wrote to memory of 1992 2836 Gifclb32.exe 40 PID 1992 wrote to memory of 1864 1992 Gkephn32.exe 41 PID 1992 wrote to memory of 1864 1992 Gkephn32.exe 41 PID 1992 wrote to memory of 1864 1992 Gkephn32.exe 41 PID 1992 wrote to memory of 1864 1992 Gkephn32.exe 41 PID 1864 wrote to memory of 2096 1864 Gepafc32.exe 42 PID 1864 wrote to memory of 2096 1864 Gepafc32.exe 42 PID 1864 wrote to memory of 2096 1864 Gepafc32.exe 42 PID 1864 wrote to memory of 2096 1864 Gepafc32.exe 42 PID 2096 wrote to memory of 2596 2096 Hcdnhoac.exe 43 PID 2096 wrote to memory of 2596 2096 Hcdnhoac.exe 43 PID 2096 wrote to memory of 2596 2096 Hcdnhoac.exe 43 PID 2096 wrote to memory of 2596 2096 Hcdnhoac.exe 43 PID 2596 wrote to memory of 1756 2596 Hfegij32.exe 44 PID 2596 wrote to memory of 1756 2596 Hfegij32.exe 44 PID 2596 wrote to memory of 1756 2596 Hfegij32.exe 44 PID 2596 wrote to memory of 1756 2596 Hfegij32.exe 44 PID 1756 wrote to memory of 1064 1756 Hblgnkdh.exe 45 PID 1756 wrote to memory of 1064 1756 Hblgnkdh.exe 45 PID 1756 wrote to memory of 1064 1756 Hblgnkdh.exe 45 PID 1756 wrote to memory of 1064 1756 Hblgnkdh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\033011ce620a1bc4d5b52f902bc51510N.exe"C:\Users\Admin\AppData\Local\Temp\033011ce620a1bc4d5b52f902bc51510N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe39⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe48⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe54⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe58⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe59⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe66⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe68⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe70⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe71⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe76⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe77⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe79⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe80⤵PID:1472
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe84⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe85⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe91⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe93⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe96⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe97⤵
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe101⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe104⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe120⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe121⤵
- Modifies registry class
PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-