Analysis
-
max time kernel
115s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 01:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb4aeeff4d6529be60bfa8907597bb30N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
bb4aeeff4d6529be60bfa8907597bb30N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
bb4aeeff4d6529be60bfa8907597bb30N.exe
-
Size
890KB
-
MD5
bb4aeeff4d6529be60bfa8907597bb30
-
SHA1
886c05a33170e062ed9e37ea30607ee4f482b477
-
SHA256
b4861a9b6520f40be9c4fe313d95f0408c3ffacc3d2d8f2f8a2022840a7a4f4a
-
SHA512
149d85937a888b0aa5a28018c323de0447e45cca1f4f23606a25562741bd243571f209b3cd269f6e1ce0f1cbee5b39ba84cd51acd8b06a43289517015cb00e0c
-
SSDEEP
6144:4gDzA4FQoHUPPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NRw:4qMa5/Ng1/Nmr/Ng1/Nblt01PBNkEG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiccbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plgmabke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefncd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlbihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbaelej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchdlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aollklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkoagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoheb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmnfajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfklgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqaigijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmemih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffmgqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooncljom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqniihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfeonq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaknmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabdol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhfpmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbkhikfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfmefdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmifla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipbidbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfbfken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmecjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnigi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcebfqbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbjpqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfckko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggohi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moedbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjimafji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jebjijqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmflmfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekffp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acabmpem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkfkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neojknfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oappof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajindjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcjldbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koafcppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opempcpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkpnbdaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkocgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlnbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Ddjpjj32.exe 2972 Dnbdbomn.exe 2704 Dcaiqfib.exe 1852 Fagcnmie.exe 2968 Fjpggb32.exe 2604 Gdobqgpn.exe 2220 Hegdinpd.exe 2948 Hnllcoed.exe 1388 Ilaieljl.exe 948 Ikkoagjo.exe 440 Jmaedolh.exe 2928 Kpkali32.exe 2560 Kehidp32.exe 1488 Kaojiqej.exe 2244 Lobgah32.exe 1612 Macpcccp.exe 2280 Micnbe32.exe 684 Mkcjlhdh.exe 1124 Nlmjjo32.exe 1644 Nefncd32.exe 1740 Ooncljom.exe 912 Ogigpllh.exe 1032 Oqaliabh.exe 2140 Ofaaghom.exe 1492 Ogpnakfp.exe 2200 Pjafbfca.exe 1596 Pdkgcd32.exe 2724 Pikmob32.exe 2504 Pafacd32.exe 2700 Qcgkeonp.exe 1660 Qpnkjq32.exe 2628 Aihmhe32.exe 2572 Aflmbj32.exe 2652 Allbpqcp.exe 2576 Aipbidbj.exe 1936 Blplkp32.exe 2088 Bjehlldb.exe 2860 Bdpjjaiq.exe 968 Bdbfpafn.exe 1768 Cialng32.exe 2276 Cehlbihg.exe 2156 Cekihh32.exe 2292 Cnfnlk32.exe 2240 Cgnbepjp.exe 2320 Dnkggjpj.exe 1360 Dcjleq32.exe 3032 Ekjjebed.exe 824 Enjcfm32.exe 2100 Enmplm32.exe 1692 Enomam32.exe 1512 Eggajb32.exe 2908 Ecnbpcje.exe 2432 Ffokan32.exe 2896 Fqdong32.exe 2776 Fpjlpclc.exe 368 Fefdhj32.exe 1028 Fbjeao32.exe 1524 Flcjjdpe.exe 1864 Gpihog32.exe 612 Gfcqkafl.exe 2236 Gpledf32.exe 676 Gffmqq32.exe 2288 Hbmnfajm.exe 2500 Hlebog32.exe -
Loads dropped DLL 64 IoCs
pid Process 1480 bb4aeeff4d6529be60bfa8907597bb30N.exe 1480 bb4aeeff4d6529be60bfa8907597bb30N.exe 2332 Ddjpjj32.exe 2332 Ddjpjj32.exe 2972 Dnbdbomn.exe 2972 Dnbdbomn.exe 2704 Dcaiqfib.exe 2704 Dcaiqfib.exe 1852 Fagcnmie.exe 1852 Fagcnmie.exe 2968 Fjpggb32.exe 2968 Fjpggb32.exe 2604 Gdobqgpn.exe 2604 Gdobqgpn.exe 2220 Hegdinpd.exe 2220 Hegdinpd.exe 2948 Hnllcoed.exe 2948 Hnllcoed.exe 1388 Ilaieljl.exe 1388 Ilaieljl.exe 948 Ikkoagjo.exe 948 Ikkoagjo.exe 440 Jmaedolh.exe 440 Jmaedolh.exe 2928 Kpkali32.exe 2928 Kpkali32.exe 2560 Kehidp32.exe 2560 Kehidp32.exe 1488 Kaojiqej.exe 1488 Kaojiqej.exe 2244 Lobgah32.exe 2244 Lobgah32.exe 1612 Macpcccp.exe 1612 Macpcccp.exe 2280 Micnbe32.exe 2280 Micnbe32.exe 684 Mkcjlhdh.exe 684 Mkcjlhdh.exe 1124 Nlmjjo32.exe 1124 Nlmjjo32.exe 1644 Nefncd32.exe 1644 Nefncd32.exe 1740 Ooncljom.exe 1740 Ooncljom.exe 912 Ogigpllh.exe 912 Ogigpllh.exe 1032 Oqaliabh.exe 1032 Oqaliabh.exe 2140 Ofaaghom.exe 2140 Ofaaghom.exe 1492 Ogpnakfp.exe 1492 Ogpnakfp.exe 2200 Pjafbfca.exe 2200 Pjafbfca.exe 1596 Pdkgcd32.exe 1596 Pdkgcd32.exe 2724 Pikmob32.exe 2724 Pikmob32.exe 2504 Pafacd32.exe 2504 Pafacd32.exe 2700 Qcgkeonp.exe 2700 Qcgkeonp.exe 1660 Qpnkjq32.exe 1660 Qpnkjq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mddilm32.dll Qjoheb32.exe File created C:\Windows\SysWOW64\Cpokca32.dll Dkafofde.exe File opened for modification C:\Windows\SysWOW64\Pqekin32.exe Pmhbbp32.exe File created C:\Windows\SysWOW64\Bndckc32.exe Bcnomjbg.exe File opened for modification C:\Windows\SysWOW64\Fqgnmo32.exe Ffbjpfmg.exe File opened for modification C:\Windows\SysWOW64\Hpodbo32.exe Hjbljh32.exe File opened for modification C:\Windows\SysWOW64\Lhlgaedj.exe Kfknpj32.exe File created C:\Windows\SysWOW64\Highje32.dll Lqknfq32.exe File opened for modification C:\Windows\SysWOW64\Mfpaqdnk.exe Mcoioi32.exe File opened for modification C:\Windows\SysWOW64\Llkijb32.exe Ljmmng32.exe File created C:\Windows\SysWOW64\Jifnen32.dll Bkiopock.exe File created C:\Windows\SysWOW64\Aloffcdo.dll Jegheghc.exe File opened for modification C:\Windows\SysWOW64\Lcgnmlkk.exe Llnepb32.exe File opened for modification C:\Windows\SysWOW64\Oappof32.exe Oefcef32.exe File created C:\Windows\SysWOW64\Flblhjep.dll Chpmocpa.exe File created C:\Windows\SysWOW64\Iniebmfg.exe Ipbgci32.exe File opened for modification C:\Windows\SysWOW64\Opokbdhc.exe Npjage32.exe File created C:\Windows\SysWOW64\Iacelcgc.dll Hbohblcg.exe File opened for modification C:\Windows\SysWOW64\Oiepmajb.exe Opllclcb.exe File created C:\Windows\SysWOW64\Abehhc32.dll Qpnkjq32.exe File opened for modification C:\Windows\SysWOW64\Bcnomjbg.exe Bjfkde32.exe File opened for modification C:\Windows\SysWOW64\Kbkgfgam.exe Kfpmfgpn.exe File opened for modification C:\Windows\SysWOW64\Jlackjgd.exe Jfdjbcim.exe File opened for modification C:\Windows\SysWOW64\Oqaliabh.exe Ogigpllh.exe File created C:\Windows\SysWOW64\Ghgfppka.dll Pikmob32.exe File created C:\Windows\SysWOW64\Miocfn32.dll Eddgaj32.exe File opened for modification C:\Windows\SysWOW64\Kmbgnl32.exe Kmpkhl32.exe File created C:\Windows\SysWOW64\Egaoij32.dll Egmhjm32.exe File created C:\Windows\SysWOW64\Mpnhhh32.exe Mnjokphk.exe File created C:\Windows\SysWOW64\Dkafofde.exe Dmimkc32.exe File created C:\Windows\SysWOW64\Knabngen.exe Khdjfpfg.exe File created C:\Windows\SysWOW64\Gpbkca32.exe Gjeckk32.exe File created C:\Windows\SysWOW64\Mapnhh32.dll Pqfdlmic.exe File created C:\Windows\SysWOW64\Npempg32.dll Flcjjdpe.exe File created C:\Windows\SysWOW64\Ndekok32.exe Nipgab32.exe File created C:\Windows\SysWOW64\Ghlacg32.dll Lnpejklj.exe File opened for modification C:\Windows\SysWOW64\Bjehlldb.exe Blplkp32.exe File created C:\Windows\SysWOW64\Heclbhec.dll Hpodbo32.exe File created C:\Windows\SysWOW64\Cgockh32.dll Kjngjj32.exe File opened for modification C:\Windows\SysWOW64\Ohmllf32.exe Oabdol32.exe File created C:\Windows\SysWOW64\Gqpoindi.dll Ioeaeolo.exe File created C:\Windows\SysWOW64\Ndqnahdk.dll Jdoblckh.exe File created C:\Windows\SysWOW64\Acjggeal.dll Nlfohb32.exe File created C:\Windows\SysWOW64\Fidfhd32.dll Jlgcqp32.exe File created C:\Windows\SysWOW64\Kplogk32.dll Hojeka32.exe File created C:\Windows\SysWOW64\Lnhffm32.exe Lgnnicpe.exe File opened for modification C:\Windows\SysWOW64\Bkocgape.exe Ahnjefcd.exe File created C:\Windows\SysWOW64\Leoejm32.dll Bbkhikfp.exe File created C:\Windows\SysWOW64\Chpmocpa.exe Bkiopock.exe File opened for modification C:\Windows\SysWOW64\Nlibhhme.exe Neojknfh.exe File opened for modification C:\Windows\SysWOW64\Pqfdlmic.exe Pgnpcg32.exe File created C:\Windows\SysWOW64\Flfbfken.exe Fcnmne32.exe File created C:\Windows\SysWOW64\Leiabnbn.dll Llojpghe.exe File created C:\Windows\SysWOW64\Hgbklj32.dll Fkhkha32.exe File opened for modification C:\Windows\SysWOW64\Dcaiqfib.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Ebnbdank.dll Linanl32.exe File opened for modification C:\Windows\SysWOW64\Lbibla32.exe Llojpghe.exe File created C:\Windows\SysWOW64\Opgfhf32.dll Hbjmodph.exe File opened for modification C:\Windows\SysWOW64\Mjdcofpe.exe Lqknfq32.exe File created C:\Windows\SysWOW64\Kpipkb32.dll Gckfmc32.exe File created C:\Windows\SysWOW64\Gffmqq32.exe Gpledf32.exe File created C:\Windows\SysWOW64\Moifmnie.dll Hnllcoed.exe File opened for modification C:\Windows\SysWOW64\Aiaqie32.exe Aollklac.exe File created C:\Windows\SysWOW64\Qbfpoaij.dll Kjhajo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3316 3800 WerFault.exe 594 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldcblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adokdbib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehlbihg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqodho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmecjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enedml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeaeolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklohgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaacch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjimafji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmijmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmclem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgcfmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnnlpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmoqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiekdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enomam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjldiln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpjimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpbeecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaicpepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbpnbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdjbcim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anonqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obngnphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieegcid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doipoldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfckko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poocmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljkqfko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkali32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgmdbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhedachg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boblbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbmqpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfnlejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkeoekf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdihlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjage32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjanlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkhikfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpgnbol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imblii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimcallo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdiqki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoheb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcjfdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajindjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnpek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfojhngl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcflkdm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqgld32.dll" Pqodho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooncljom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmoogoho.dll" Fmmjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegdinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmpkcpl.dll" Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbpnfnf.dll" Mbadih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkoclqc.dll" Opempcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoibgkno.dll" Ahnjefcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbeklf32.dll" Lbibla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egbaelej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebfqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmgaj32.dll" Ghdfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loehdb32.dll" Kbjpqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caeaoj32.dll" Eacnpoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehobkikl.dll" Acabmpem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Labamcdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjoheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldioaiei.dll" Djdenoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kehidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlmngobj.dll" Inhfmmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqaigijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfanfg32.dll" Lekeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikcjdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efkfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maldcblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcjqkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cidklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnoapba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miocfn32.dll" Eddgaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpanffhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phdden32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfeqgikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gemham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpepbkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafhafjm.dll" Laifbnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgklpnpf.dll" Daidojeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogiqffhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianjii32.dll" Oijnib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkocgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckfmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpimfd32.dll" Mfepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohaqk32.dll" Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolncpj.dll" Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpijol32.dll" Aaqnmbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnabo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oimpppoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcflbpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdecniol.dll" Mpkehbjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldhcjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phiekdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfblqne.dll" Fbjeao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbmnfajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmene32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldchff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcomea32.dll" Mjdcofpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2332 1480 bb4aeeff4d6529be60bfa8907597bb30N.exe 29 PID 1480 wrote to memory of 2332 1480 bb4aeeff4d6529be60bfa8907597bb30N.exe 29 PID 1480 wrote to memory of 2332 1480 bb4aeeff4d6529be60bfa8907597bb30N.exe 29 PID 1480 wrote to memory of 2332 1480 bb4aeeff4d6529be60bfa8907597bb30N.exe 29 PID 2332 wrote to memory of 2972 2332 Ddjpjj32.exe 30 PID 2332 wrote to memory of 2972 2332 Ddjpjj32.exe 30 PID 2332 wrote to memory of 2972 2332 Ddjpjj32.exe 30 PID 2332 wrote to memory of 2972 2332 Ddjpjj32.exe 30 PID 2972 wrote to memory of 2704 2972 Dnbdbomn.exe 31 PID 2972 wrote to memory of 2704 2972 Dnbdbomn.exe 31 PID 2972 wrote to memory of 2704 2972 Dnbdbomn.exe 31 PID 2972 wrote to memory of 2704 2972 Dnbdbomn.exe 31 PID 2704 wrote to memory of 1852 2704 Dcaiqfib.exe 357 PID 2704 wrote to memory of 1852 2704 Dcaiqfib.exe 357 PID 2704 wrote to memory of 1852 2704 Dcaiqfib.exe 357 PID 2704 wrote to memory of 1852 2704 Dcaiqfib.exe 357 PID 1852 wrote to memory of 2968 1852 Fagcnmie.exe 33 PID 1852 wrote to memory of 2968 1852 Fagcnmie.exe 33 PID 1852 wrote to memory of 2968 1852 Fagcnmie.exe 33 PID 1852 wrote to memory of 2968 1852 Fagcnmie.exe 33 PID 2968 wrote to memory of 2604 2968 Fjpggb32.exe 345 PID 2968 wrote to memory of 2604 2968 Fjpggb32.exe 345 PID 2968 wrote to memory of 2604 2968 Fjpggb32.exe 345 PID 2968 wrote to memory of 2604 2968 Fjpggb32.exe 345 PID 2604 wrote to memory of 2220 2604 Gdobqgpn.exe 310 PID 2604 wrote to memory of 2220 2604 Gdobqgpn.exe 310 PID 2604 wrote to memory of 2220 2604 Gdobqgpn.exe 310 PID 2604 wrote to memory of 2220 2604 Gdobqgpn.exe 310 PID 2220 wrote to memory of 2948 2220 Hegdinpd.exe 36 PID 2220 wrote to memory of 2948 2220 Hegdinpd.exe 36 PID 2220 wrote to memory of 2948 2220 Hegdinpd.exe 36 PID 2220 wrote to memory of 2948 2220 Hegdinpd.exe 36 PID 2948 wrote to memory of 1388 2948 Hnllcoed.exe 338 PID 2948 wrote to memory of 1388 2948 Hnllcoed.exe 338 PID 2948 wrote to memory of 1388 2948 Hnllcoed.exe 338 PID 2948 wrote to memory of 1388 2948 Hnllcoed.exe 338 PID 1388 wrote to memory of 948 1388 Ilaieljl.exe 360 PID 1388 wrote to memory of 948 1388 Ilaieljl.exe 360 PID 1388 wrote to memory of 948 1388 Ilaieljl.exe 360 PID 1388 wrote to memory of 948 1388 Ilaieljl.exe 360 PID 948 wrote to memory of 440 948 Ikkoagjo.exe 39 PID 948 wrote to memory of 440 948 Ikkoagjo.exe 39 PID 948 wrote to memory of 440 948 Ikkoagjo.exe 39 PID 948 wrote to memory of 440 948 Ikkoagjo.exe 39 PID 440 wrote to memory of 2928 440 Jmaedolh.exe 325 PID 440 wrote to memory of 2928 440 Jmaedolh.exe 325 PID 440 wrote to memory of 2928 440 Jmaedolh.exe 325 PID 440 wrote to memory of 2928 440 Jmaedolh.exe 325 PID 2928 wrote to memory of 2560 2928 Kpkali32.exe 459 PID 2928 wrote to memory of 2560 2928 Kpkali32.exe 459 PID 2928 wrote to memory of 2560 2928 Kpkali32.exe 459 PID 2928 wrote to memory of 2560 2928 Kpkali32.exe 459 PID 2560 wrote to memory of 1488 2560 Kehidp32.exe 362 PID 2560 wrote to memory of 1488 2560 Kehidp32.exe 362 PID 2560 wrote to memory of 1488 2560 Kehidp32.exe 362 PID 2560 wrote to memory of 1488 2560 Kehidp32.exe 362 PID 1488 wrote to memory of 2244 1488 Kaojiqej.exe 359 PID 1488 wrote to memory of 2244 1488 Kaojiqej.exe 359 PID 1488 wrote to memory of 2244 1488 Kaojiqej.exe 359 PID 1488 wrote to memory of 2244 1488 Kaojiqej.exe 359 PID 2244 wrote to memory of 1612 2244 Lobgah32.exe 44 PID 2244 wrote to memory of 1612 2244 Lobgah32.exe 44 PID 2244 wrote to memory of 1612 2244 Lobgah32.exe 44 PID 2244 wrote to memory of 1612 2244 Lobgah32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4aeeff4d6529be60bfa8907597bb30N.exe"C:\Users\Admin\AppData\Local\Temp\bb4aeeff4d6529be60bfa8907597bb30N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe34⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe38⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe39⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Bdbfpafn.exeC:\Windows\system32\Bdbfpafn.exe40⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe41⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe43⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Cnfnlk32.exeC:\Windows\system32\Cnfnlk32.exe44⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe45⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dnkggjpj.exeC:\Windows\system32\Dnkggjpj.exe46⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe47⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe48⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Enjcfm32.exeC:\Windows\system32\Enjcfm32.exe49⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe50⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Enomam32.exeC:\Windows\system32\Enomam32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe53⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ffokan32.exeC:\Windows\system32\Ffokan32.exe54⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fqdong32.exeC:\Windows\system32\Fqdong32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe56⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe57⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Fbjeao32.exeC:\Windows\system32\Fbjeao32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Gpihog32.exeC:\Windows\system32\Gpihog32.exe60⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Gfcqkafl.exeC:\Windows\system32\Gfcqkafl.exe61⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Gpledf32.exeC:\Windows\system32\Gpledf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe63⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Hbmnfajm.exeC:\Windows\system32\Hbmnfajm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hlebog32.exeC:\Windows\system32\Hlebog32.exe65⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hmdohj32.exeC:\Windows\system32\Hmdohj32.exe66⤵PID:1704
-
C:\Windows\SysWOW64\Hbagaa32.exeC:\Windows\system32\Hbagaa32.exe67⤵PID:1548
-
C:\Windows\SysWOW64\Hpehje32.exeC:\Windows\system32\Hpehje32.exe68⤵PID:1744
-
C:\Windows\SysWOW64\Hojeka32.exeC:\Windows\system32\Hojeka32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Ihcidgpj.exeC:\Windows\system32\Ihcidgpj.exe70⤵PID:2676
-
C:\Windows\SysWOW64\Iaknmm32.exeC:\Windows\system32\Iaknmm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Ikcbfb32.exeC:\Windows\system32\Ikcbfb32.exe72⤵PID:1036
-
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe73⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Iniebmfg.exeC:\Windows\system32\Iniebmfg.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Jomnpdjb.exeC:\Windows\system32\Jomnpdjb.exe75⤵PID:2852
-
C:\Windows\SysWOW64\Jlqniihl.exeC:\Windows\system32\Jlqniihl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Jhgonj32.exeC:\Windows\system32\Jhgonj32.exe77⤵PID:2316
-
C:\Windows\SysWOW64\Jhjldiln.exeC:\Windows\system32\Jhjldiln.exe78⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Jqeqhlii.exeC:\Windows\system32\Jqeqhlii.exe79⤵PID:2076
-
C:\Windows\SysWOW64\Kqgmnk32.exeC:\Windows\system32\Kqgmnk32.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Knkngp32.exeC:\Windows\system32\Knkngp32.exe81⤵PID:2996
-
C:\Windows\SysWOW64\Kmpkhl32.exeC:\Windows\system32\Kmpkhl32.exe82⤵
- Drops file in System32 directory
PID:460 -
C:\Windows\SysWOW64\Kmbgnl32.exeC:\Windows\system32\Kmbgnl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Kfklgape.exeC:\Windows\system32\Kfklgape.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Lpfmefdc.exeC:\Windows\system32\Lpfmefdc.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Linanl32.exeC:\Windows\system32\Linanl32.exe86⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Laifbnho.exeC:\Windows\system32\Laifbnho.exe87⤵
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Llojpghe.exeC:\Windows\system32\Llojpghe.exe88⤵
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Lbibla32.exeC:\Windows\system32\Lbibla32.exe89⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Lcllii32.exeC:\Windows\system32\Lcllii32.exe90⤵PID:2092
-
C:\Windows\SysWOW64\Mcoioi32.exeC:\Windows\system32\Mcoioi32.exe91⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Mfpaqdnk.exeC:\Windows\system32\Mfpaqdnk.exe92⤵PID:1176
-
C:\Windows\SysWOW64\Mmijmn32.exeC:\Windows\system32\Mmijmn32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Mphfji32.exeC:\Windows\system32\Mphfji32.exe94⤵PID:1556
-
C:\Windows\SysWOW64\Nenaho32.exeC:\Windows\system32\Nenaho32.exe95⤵PID:1544
-
C:\Windows\SysWOW64\Ngonpgqg.exeC:\Windows\system32\Ngonpgqg.exe96⤵PID:2404
-
C:\Windows\SysWOW64\Nmifla32.exeC:\Windows\system32\Nmifla32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe98⤵PID:2864
-
C:\Windows\SysWOW64\Nipgab32.exeC:\Windows\system32\Nipgab32.exe99⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ndekok32.exeC:\Windows\system32\Ndekok32.exe100⤵PID:2056
-
C:\Windows\SysWOW64\Opllclcb.exeC:\Windows\system32\Opllclcb.exe101⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Oiepmajb.exeC:\Windows\system32\Oiepmajb.exe102⤵PID:736
-
C:\Windows\SysWOW64\Ogiqffhl.exeC:\Windows\system32\Ogiqffhl.exe103⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Oodejhfg.exeC:\Windows\system32\Oodejhfg.exe104⤵PID:2728
-
C:\Windows\SysWOW64\Oepjmbka.exeC:\Windows\system32\Oepjmbka.exe105⤵PID:2936
-
C:\Windows\SysWOW64\Onkoadhm.exeC:\Windows\system32\Onkoadhm.exe106⤵PID:2472
-
C:\Windows\SysWOW64\Pqodho32.exeC:\Windows\system32\Pqodho32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Pjgiad32.exeC:\Windows\system32\Pjgiad32.exe108⤵PID:2932
-
C:\Windows\SysWOW64\Pconjjql.exeC:\Windows\system32\Pconjjql.exe109⤵PID:2020
-
C:\Windows\SysWOW64\Pmhbbp32.exeC:\Windows\system32\Pmhbbp32.exe110⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Pqekin32.exeC:\Windows\system32\Pqekin32.exe111⤵PID:1772
-
C:\Windows\SysWOW64\Qcdgei32.exeC:\Windows\system32\Qcdgei32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Qiqpmp32.exeC:\Windows\system32\Qiqpmp32.exe113⤵PID:320
-
C:\Windows\SysWOW64\Qiclcp32.exeC:\Windows\system32\Qiclcp32.exe114⤵PID:1736
-
C:\Windows\SysWOW64\Aejmha32.exeC:\Windows\system32\Aejmha32.exe115⤵PID:3056
-
C:\Windows\SysWOW64\Akdedkfl.exeC:\Windows\system32\Akdedkfl.exe116⤵PID:1920
-
C:\Windows\SysWOW64\Aaqnmbdd.exeC:\Windows\system32\Aaqnmbdd.exe117⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Agkfil32.exeC:\Windows\system32\Agkfil32.exe118⤵PID:1508
-
C:\Windows\SysWOW64\Aacjba32.exeC:\Windows\system32\Aacjba32.exe119⤵PID:2920
-
C:\Windows\SysWOW64\Agmbolin.exeC:\Windows\system32\Agmbolin.exe120⤵PID:1956
-
C:\Windows\SysWOW64\Amjkgbhe.exeC:\Windows\system32\Amjkgbhe.exe121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-