Analysis
-
max time kernel
59s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 11:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7603f090a40d065b1ff21f2b03af1ef0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7603f090a40d065b1ff21f2b03af1ef0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
7603f090a40d065b1ff21f2b03af1ef0N.exe
-
Size
64KB
-
MD5
7603f090a40d065b1ff21f2b03af1ef0
-
SHA1
039f836b3d3d227beffd5e51b7efdb6a41292867
-
SHA256
d0d3b471927a30d5630e4bc3ddc821aafc3f57349e67cfcc4229148f0c30c486
-
SHA512
172ae2969a5e9bccfba66e430b925894511f84313caf0b1ce2875bbf9dc1ce933496f2ce299cdce4db1ad3d956ae3276269814536aed2b147cb238ca9681886f
-
SSDEEP
1536:fvtOLUoQ4dnqsJRltW/8A2H0SJe2Gvl0WYE8Rm0Z:dOgv4dnqs7ltWkHH0S1GvlfY/m0Z
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqdbqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnoklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeihfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eenckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkiemqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpieli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnomkloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqdbqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaihhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjman32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obffpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhngbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmfiefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcqcoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlnghj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeijpdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhldahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmnljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqciha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laknfmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kononm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnagbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnppei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifndph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifdjcif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appfggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeggkoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogene32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcqcjgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iadphghe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majdkifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqoqlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olehbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfcaegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojbbiae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgea32.exe -
Executes dropped EXE 64 IoCs
pid Process 2480 Popkeh32.exe 2916 Phhonn32.exe 2116 Pihlhagn.exe 2080 Peolmb32.exe 2628 Pgbejj32.exe 1708 Qnoklc32.exe 2856 Qnagbc32.exe 2392 Ancdgcab.exe 2524 Aenileon.exe 2816 Afqeaemk.exe 1624 Aknnil32.exe 928 Bnqcaffa.exe 3048 Bbolge32.exe 2592 Bqciha32.exe 1828 Bmjjmbgc.exe 1492 Bmmgbbeq.exe 1644 Cjqglf32.exe 1952 Cifdmbib.exe 1476 Cbnhfhoc.exe 1996 Cbqekhmp.exe 1696 Ckijdm32.exe 960 Cgpjin32.exe 2144 Dahobdpe.exe 2600 Dmopge32.exe 1612 Dhdddnep.exe 2824 Dpphipbk.exe 3028 Dfjaej32.exe 3040 Dijjgegh.exe 2768 Dimfmeef.exe 2804 Eojoelcm.exe 2672 Eiocbd32.exe 2108 Eamdlf32.exe 804 Ekeiel32.exe 2380 Epdncb32.exe 2440 Fmholgpj.exe 1160 Flkohc32.exe 952 Fiopah32.exe 3044 Fpkdca32.exe 2276 Falakjag.exe 2588 Gocnjn32.exe 2260 Gacgli32.exe 1084 Ggbljogc.exe 2288 Gfhikl32.exe 628 Gmbagf32.exe 1264 Hqpjndio.exe 2000 Hcqcoo32.exe 1724 Hfookk32.exe 1132 Hmighemp.exe 556 Hiphmf32.exe 2716 Hbhmfk32.exe 2836 Hgeenb32.exe 2760 Hnomkloi.exe 2748 Iclfccmq.exe 2988 Ikbndqnc.exe 2648 Iekbmfdc.exe 1656 Ifloeo32.exe 2612 Iabcbg32.exe 2344 Ifoljn32.exe 2348 Iadphghe.exe 2424 Ibeloo32.exe 1460 Ilnqhddd.exe 2216 Ibhieo32.exe 2412 Jmmmbg32.exe 676 Jnojjp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1424 7603f090a40d065b1ff21f2b03af1ef0N.exe 1424 7603f090a40d065b1ff21f2b03af1ef0N.exe 2480 Popkeh32.exe 2480 Popkeh32.exe 2916 Phhonn32.exe 2916 Phhonn32.exe 2116 Pihlhagn.exe 2116 Pihlhagn.exe 2080 Peolmb32.exe 2080 Peolmb32.exe 2628 Pgbejj32.exe 2628 Pgbejj32.exe 1708 Qnoklc32.exe 1708 Qnoklc32.exe 2856 Qnagbc32.exe 2856 Qnagbc32.exe 2392 Ancdgcab.exe 2392 Ancdgcab.exe 2524 Aenileon.exe 2524 Aenileon.exe 2816 Afqeaemk.exe 2816 Afqeaemk.exe 1624 Aknnil32.exe 1624 Aknnil32.exe 928 Bnqcaffa.exe 928 Bnqcaffa.exe 3048 Bbolge32.exe 3048 Bbolge32.exe 2592 Bqciha32.exe 2592 Bqciha32.exe 1828 Bmjjmbgc.exe 1828 Bmjjmbgc.exe 1492 Bmmgbbeq.exe 1492 Bmmgbbeq.exe 1644 Cjqglf32.exe 1644 Cjqglf32.exe 1952 Cifdmbib.exe 1952 Cifdmbib.exe 1476 Cbnhfhoc.exe 1476 Cbnhfhoc.exe 1996 Cbqekhmp.exe 1996 Cbqekhmp.exe 1696 Ckijdm32.exe 1696 Ckijdm32.exe 960 Cgpjin32.exe 960 Cgpjin32.exe 2144 Dahobdpe.exe 2144 Dahobdpe.exe 2600 Dmopge32.exe 2600 Dmopge32.exe 1612 Dhdddnep.exe 1612 Dhdddnep.exe 2824 Dpphipbk.exe 2824 Dpphipbk.exe 3028 Dfjaej32.exe 3028 Dfjaej32.exe 3040 Dijjgegh.exe 3040 Dijjgegh.exe 2768 Dimfmeef.exe 2768 Dimfmeef.exe 2804 Eojoelcm.exe 2804 Eojoelcm.exe 2672 Eiocbd32.exe 2672 Eiocbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmmgbbeq.exe Bmjjmbgc.exe File created C:\Windows\SysWOW64\Dijjgegh.exe Dfjaej32.exe File created C:\Windows\SysWOW64\Bhoqqojp.dll Ldndng32.exe File created C:\Windows\SysWOW64\Hdolga32.exe Hgkknm32.exe File created C:\Windows\SysWOW64\Kaebeiqd.dll Alcqcjgd.exe File opened for modification C:\Windows\SysWOW64\Adqbml32.exe Akhndf32.exe File created C:\Windows\SysWOW64\Alahklnm.dll Peolmb32.exe File created C:\Windows\SysWOW64\Ckijdm32.exe Cbqekhmp.exe File created C:\Windows\SysWOW64\Eiocbd32.exe Eojoelcm.exe File created C:\Windows\SysWOW64\Odqknf32.dll Dnpedghl.exe File opened for modification C:\Windows\SysWOW64\Giikkehc.exe Figoefkf.exe File opened for modification C:\Windows\SysWOW64\Peooek32.exe Plfjme32.exe File created C:\Windows\SysWOW64\Epinhg32.exe Eipekmjg.exe File created C:\Windows\SysWOW64\Lmpdoffo.exe Lhclfphg.exe File created C:\Windows\SysWOW64\Dfjaej32.exe Dpphipbk.exe File created C:\Windows\SysWOW64\Opcaiggo.exe Ofklpa32.exe File opened for modification C:\Windows\SysWOW64\Apllml32.exe Aefhpc32.exe File created C:\Windows\SysWOW64\Jocnbj32.dll Dpjhcj32.exe File opened for modification C:\Windows\SysWOW64\Dapnfb32.exe Dlcfnk32.exe File created C:\Windows\SysWOW64\Nmamgl32.dll Gcapckod.exe File created C:\Windows\SysWOW64\Bonenbgj.exe Bdiaqj32.exe File created C:\Windows\SysWOW64\Emgkqnci.dll Dpedmhfi.exe File created C:\Windows\SysWOW64\Cjqglf32.exe Bmmgbbeq.exe File created C:\Windows\SysWOW64\Bfmkge32.dll Dahobdpe.exe File created C:\Windows\SysWOW64\Biiqmd32.dll Hqpjndio.exe File created C:\Windows\SysWOW64\Hllgeipk.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Ojljdn32.dll Qpmiahlp.exe File opened for modification C:\Windows\SysWOW64\Aecdpmbm.exe Afngoand.exe File created C:\Windows\SysWOW64\Hnkbglmp.dll Kdgane32.exe File opened for modification C:\Windows\SysWOW64\Hkidclbb.exe Hdolga32.exe File created C:\Windows\SysWOW64\Ancdgcab.exe Qnagbc32.exe File opened for modification C:\Windows\SysWOW64\Hqpjndio.exe Gmbagf32.exe File created C:\Windows\SysWOW64\Qkgeifgn.dll Iclfccmq.exe File created C:\Windows\SysWOW64\Cbdkdffm.exe Cofohkgi.exe File opened for modification C:\Windows\SysWOW64\Mqoqlfkl.exe Majdkifd.exe File opened for modification C:\Windows\SysWOW64\Mgomoboc.exe Mogene32.exe File created C:\Windows\SysWOW64\Oepianef.exe Opcaiggo.exe File created C:\Windows\SysWOW64\Babbpc32.exe Bfkakbpp.exe File opened for modification C:\Windows\SysWOW64\Ommdqi32.exe Ocdohdfc.exe File created C:\Windows\SysWOW64\Dmopge32.exe Dahobdpe.exe File created C:\Windows\SysWOW64\Hnomkloi.exe Hgeenb32.exe File created C:\Windows\SysWOW64\Hndnokni.dll Djkodg32.exe File created C:\Windows\SysWOW64\Ghcbga32.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Bjomoo32.exe Bdbdgh32.exe File created C:\Windows\SysWOW64\Mkpaaa32.dll Djhldahb.exe File opened for modification C:\Windows\SysWOW64\Iekbmfdc.exe Ikbndqnc.exe File created C:\Windows\SysWOW64\Gllmbj32.dll Kononm32.exe File created C:\Windows\SysWOW64\Hadece32.exe Hemeod32.exe File opened for modification C:\Windows\SysWOW64\Kdgane32.exe Kaieai32.exe File opened for modification C:\Windows\SysWOW64\Lnmfpnqn.exe Lddagi32.exe File created C:\Windows\SysWOW64\Enjaiiho.dll Mfdjpo32.exe File created C:\Windows\SysWOW64\Gaijph32.dll Nqijmkfm.exe File created C:\Windows\SysWOW64\Pchcmkjo.dll Gcjogidl.exe File created C:\Windows\SysWOW64\Lohkhjcj.exe Kbajci32.exe File created C:\Windows\SysWOW64\Djffdk32.dll Epdncb32.exe File created C:\Windows\SysWOW64\Klbfbg32.exe Kdgane32.exe File opened for modification C:\Windows\SysWOW64\Lolbjahp.exe Lhbjmg32.exe File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe Mkelcenm.exe File created C:\Windows\SysWOW64\Iljccajl.dll Bhngbm32.exe File created C:\Windows\SysWOW64\Dmmadecm.dll Qmomelml.exe File created C:\Windows\SysWOW64\Joepjokm.exe Jdplmflg.exe File opened for modification C:\Windows\SysWOW64\Boainhic.exe Bhgaan32.exe File opened for modification C:\Windows\SysWOW64\Peolmb32.exe Pihlhagn.exe File opened for modification C:\Windows\SysWOW64\Npngng32.exe Nffcebdd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5080 5060 WerFault.exe 378 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibklddof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjman32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falakjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppejmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmahmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhficcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Looahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boainhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcfnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqcffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadece32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adqbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appfggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fioajqmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faopib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommdqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgchckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enagnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjogidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnagbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbolge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkakbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agakog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmkjjbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojoelcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpodmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcebagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaahgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmgafjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbmfdc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponfcl32.dll" Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll" Dpbgghhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpngkhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkcdigpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Febmfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emgkqnci.dll" Dpedmhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enagnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnomkloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqidng32.dll" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Appfggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjocoedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnagbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffaeneno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adqbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjie32.dll" Iqgofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjocoedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhonn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkbopl32.dll" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kakdpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godaagfg.dll" Looahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifdmbib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpmbjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idafbjna.dll" Laidie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnfkjll.dll" Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eekpknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhhjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmmgbbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoeplp.dll" Ghihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmmgafjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglmdppi.dll" Dgbiggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgeenb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppejmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdjfie32.dll" Lndlamke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Elcbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkldgjnj.dll" Ghpngkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmapo32.dll" Bmjjmbgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfjbj32.dll" Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfdppia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqgngk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbojchdc.dll" Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodnlfk.dll" Kiccle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipekmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faopib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohkhjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajojkjfk.dll" Mmgkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baojfoqh.dll" Cgpjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Kekkkm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 2480 1424 7603f090a40d065b1ff21f2b03af1ef0N.exe 29 PID 1424 wrote to memory of 2480 1424 7603f090a40d065b1ff21f2b03af1ef0N.exe 29 PID 1424 wrote to memory of 2480 1424 7603f090a40d065b1ff21f2b03af1ef0N.exe 29 PID 1424 wrote to memory of 2480 1424 7603f090a40d065b1ff21f2b03af1ef0N.exe 29 PID 2480 wrote to memory of 2916 2480 Popkeh32.exe 30 PID 2480 wrote to memory of 2916 2480 Popkeh32.exe 30 PID 2480 wrote to memory of 2916 2480 Popkeh32.exe 30 PID 2480 wrote to memory of 2916 2480 Popkeh32.exe 30 PID 2916 wrote to memory of 2116 2916 Phhonn32.exe 31 PID 2916 wrote to memory of 2116 2916 Phhonn32.exe 31 PID 2916 wrote to memory of 2116 2916 Phhonn32.exe 31 PID 2916 wrote to memory of 2116 2916 Phhonn32.exe 31 PID 2116 wrote to memory of 2080 2116 Pihlhagn.exe 32 PID 2116 wrote to memory of 2080 2116 Pihlhagn.exe 32 PID 2116 wrote to memory of 2080 2116 Pihlhagn.exe 32 PID 2116 wrote to memory of 2080 2116 Pihlhagn.exe 32 PID 2080 wrote to memory of 2628 2080 Peolmb32.exe 33 PID 2080 wrote to memory of 2628 2080 Peolmb32.exe 33 PID 2080 wrote to memory of 2628 2080 Peolmb32.exe 33 PID 2080 wrote to memory of 2628 2080 Peolmb32.exe 33 PID 2628 wrote to memory of 1708 2628 Pgbejj32.exe 34 PID 2628 wrote to memory of 1708 2628 Pgbejj32.exe 34 PID 2628 wrote to memory of 1708 2628 Pgbejj32.exe 34 PID 2628 wrote to memory of 1708 2628 Pgbejj32.exe 34 PID 1708 wrote to memory of 2856 1708 Qnoklc32.exe 35 PID 1708 wrote to memory of 2856 1708 Qnoklc32.exe 35 PID 1708 wrote to memory of 2856 1708 Qnoklc32.exe 35 PID 1708 wrote to memory of 2856 1708 Qnoklc32.exe 35 PID 2856 wrote to memory of 2392 2856 Qnagbc32.exe 36 PID 2856 wrote to memory of 2392 2856 Qnagbc32.exe 36 PID 2856 wrote to memory of 2392 2856 Qnagbc32.exe 36 PID 2856 wrote to memory of 2392 2856 Qnagbc32.exe 36 PID 2392 wrote to memory of 2524 2392 Ancdgcab.exe 37 PID 2392 wrote to memory of 2524 2392 Ancdgcab.exe 37 PID 2392 wrote to memory of 2524 2392 Ancdgcab.exe 37 PID 2392 wrote to memory of 2524 2392 Ancdgcab.exe 37 PID 2524 wrote to memory of 2816 2524 Aenileon.exe 38 PID 2524 wrote to memory of 2816 2524 Aenileon.exe 38 PID 2524 wrote to memory of 2816 2524 Aenileon.exe 38 PID 2524 wrote to memory of 2816 2524 Aenileon.exe 38 PID 2816 wrote to memory of 1624 2816 Afqeaemk.exe 39 PID 2816 wrote to memory of 1624 2816 Afqeaemk.exe 39 PID 2816 wrote to memory of 1624 2816 Afqeaemk.exe 39 PID 2816 wrote to memory of 1624 2816 Afqeaemk.exe 39 PID 1624 wrote to memory of 928 1624 Aknnil32.exe 40 PID 1624 wrote to memory of 928 1624 Aknnil32.exe 40 PID 1624 wrote to memory of 928 1624 Aknnil32.exe 40 PID 1624 wrote to memory of 928 1624 Aknnil32.exe 40 PID 928 wrote to memory of 3048 928 Bnqcaffa.exe 41 PID 928 wrote to memory of 3048 928 Bnqcaffa.exe 41 PID 928 wrote to memory of 3048 928 Bnqcaffa.exe 41 PID 928 wrote to memory of 3048 928 Bnqcaffa.exe 41 PID 3048 wrote to memory of 2592 3048 Bbolge32.exe 42 PID 3048 wrote to memory of 2592 3048 Bbolge32.exe 42 PID 3048 wrote to memory of 2592 3048 Bbolge32.exe 42 PID 3048 wrote to memory of 2592 3048 Bbolge32.exe 42 PID 2592 wrote to memory of 1828 2592 Bqciha32.exe 43 PID 2592 wrote to memory of 1828 2592 Bqciha32.exe 43 PID 2592 wrote to memory of 1828 2592 Bqciha32.exe 43 PID 2592 wrote to memory of 1828 2592 Bqciha32.exe 43 PID 1828 wrote to memory of 1492 1828 Bmjjmbgc.exe 44 PID 1828 wrote to memory of 1492 1828 Bmjjmbgc.exe 44 PID 1828 wrote to memory of 1492 1828 Bmjjmbgc.exe 44 PID 1828 wrote to memory of 1492 1828 Bmjjmbgc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7603f090a40d065b1ff21f2b03af1ef0N.exe"C:\Users\Admin\AppData\Local\Temp\7603f090a40d065b1ff21f2b03af1ef0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Aknnil32.exeC:\Windows\system32\Aknnil32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bnqcaffa.exeC:\Windows\system32\Bnqcaffa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Cifdmbib.exeC:\Windows\system32\Cifdmbib.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Eojoelcm.exeC:\Windows\system32\Eojoelcm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe34⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Fmholgpj.exeC:\Windows\system32\Fmholgpj.exe36⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe37⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe38⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe41⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Ggbljogc.exeC:\Windows\system32\Ggbljogc.exe43⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe48⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe49⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe50⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe57⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe59⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Iadphghe.exeC:\Windows\system32\Iadphghe.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe61⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe62⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe63⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jnojjp32.exeC:\Windows\system32\Jnojjp32.exe65⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe66⤵PID:1960
-
C:\Windows\SysWOW64\Jlbjcd32.exeC:\Windows\system32\Jlbjcd32.exe67⤵PID:2072
-
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe68⤵PID:3064
-
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe69⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Joepjokm.exeC:\Windows\system32\Joepjokm.exe70⤵PID:1500
-
C:\Windows\SysWOW64\Jephgi32.exeC:\Windows\system32\Jephgi32.exe71⤵PID:1368
-
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe72⤵PID:2304
-
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Kaieai32.exeC:\Windows\system32\Kaieai32.exe75⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe76⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Klbfbg32.exeC:\Windows\system32\Klbfbg32.exe77⤵PID:1700
-
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe78⤵
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe79⤵PID:2968
-
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe80⤵PID:856
-
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe81⤵PID:2232
-
C:\Windows\SysWOW64\Klgpmgod.exeC:\Windows\system32\Klgpmgod.exe82⤵PID:680
-
C:\Windows\SysWOW64\Kadhen32.exeC:\Windows\system32\Kadhen32.exe83⤵PID:1312
-
C:\Windows\SysWOW64\Klimcf32.exeC:\Windows\system32\Klimcf32.exe84⤵PID:1904
-
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe85⤵PID:1704
-
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe87⤵PID:1504
-
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe89⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe91⤵PID:2904
-
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe92⤵PID:2140
-
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe93⤵PID:2548
-
C:\Windows\SysWOW64\Lndlamke.exeC:\Windows\system32\Lndlamke.exe94⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Ldndng32.exeC:\Windows\system32\Ldndng32.exe95⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe96⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe98⤵PID:2168
-
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe99⤵PID:1168
-
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe101⤵PID:1948
-
C:\Windows\SysWOW64\Mffgfo32.exeC:\Windows\system32\Mffgfo32.exe102⤵PID:576
-
C:\Windows\SysWOW64\Mmpobi32.exeC:\Windows\system32\Mmpobi32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Mkelcenm.exeC:\Windows\system32\Mkelcenm.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe106⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe107⤵PID:3004
-
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe108⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe109⤵PID:1204
-
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe110⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe112⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe113⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe114⤵PID:2740
-
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe115⤵PID:2800
-
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe117⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe118⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe119⤵PID:3056
-
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe121⤵PID:652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-