Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 21:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b758ab496e065a5f11d4bfaab5fc5b30N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b758ab496e065a5f11d4bfaab5fc5b30N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b758ab496e065a5f11d4bfaab5fc5b30N.exe
-
Size
224KB
-
MD5
b758ab496e065a5f11d4bfaab5fc5b30
-
SHA1
72dfa2850f6f541653dc6489296b000947005028
-
SHA256
6af0535dc183d0950844c91970e75bb08dce061e82389d890c57567d61dde7d4
-
SHA512
83c8735424d9600a5d822482c10d33c3a5936dc46ecc984b2622dfcdad23f0cc1f197193f78a1ef9b9a7172abd384470c063edb1627984b57a5ab6ecb3c27e48
-
SSDEEP
3072:Js2MU/P0pQ3SGTlP2OnjJd976HRy6TluWHnjJd976HRyFbLJorvWHnjJvBxjUSmM:JWU/PkQ3Hlp4PlXj4IyqrQ///NR5fL4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaiknk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einljkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bilkhbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaonfncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfqjible.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mklegm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napdpchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcaekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkepl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjehflbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlilfkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oieencik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nphbhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnkgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmlffbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfffmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqknfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkepl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdodel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmginaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmlilfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgocadqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angmdoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkimgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nngjbfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbdbomn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcjldbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eemded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndofjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiciboh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbdiabcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpacaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkfkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknkncbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfoho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfiqgfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipmeej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anonqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohifch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piaiko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqlig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclcgoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlbia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obllai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hepdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbohblcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponadfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deanooeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkkn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 Dnbdbomn.exe 2972 Ekiaac32.exe 2704 Egobfdpi.exe 2880 Eqhfoj32.exe 1036 Emcqpjhh.exe 2612 Fbbfmqdm.exe 3068 Fjbdmbmb.exe 2956 Gfkagc32.exe 1388 Gdobqgpn.exe 948 Gloppi32.exe 440 Hlamfh32.exe 2928 Hilghaqq.exe 1768 Hgpgae32.exe 2508 Iomhkgkb.exe 2208 Ipmeej32.exe 2156 Idagdm32.exe 2272 Iqhhin32.exe 2400 Jqmadn32.exe 1124 Jcmjfiab.exe 1672 Jodkkj32.exe 756 Kcbcah32.exe 532 Kkpekjie.exe 864 Kbjmhd32.exe 2296 Kjgoaflj.exe 1736 Kemcookp.exe 2164 Lcdmekne.exe 268 Mddidnqa.exe 2428 Mpmfoodb.exe 2372 Nldgdpjf.exe 2600 Nlfdjphd.exe 2904 Nhpadpke.exe 2092 Ndfbia32.exe 2488 Ooncljom.exe 528 Oqaliabh.exe 2632 Onelbfab.exe 2500 Ofaaghom.exe 1176 Ogpnakfp.exe 2860 Pbjoaibo.exe 2836 Pkeppngm.exe 2312 Peandcih.exe 3016 Qnjbmh32.exe 2384 Qakkncmi.exe 2320 Acldpojj.exe 1944 Aihmhe32.exe 2132 Amfeodoh.exe 1940 Aeajcf32.exe 1084 Anjnllbd.exe 956 Ahbcda32.exe 3040 Bdiciboh.exe 3028 Bjclfmfe.exe 2012 Bhglpqeo.exe 1528 Bpbadcbj.exe 2700 Bkheal32.exe 2812 Bpdnjb32.exe 2808 Bpgjob32.exe 2628 Beccgi32.exe 2696 Cefpmiji.exe 560 Condfo32.exe 1820 Clbdobpc.exe 2580 Caomgjnk.exe 2088 Cocnanmd.exe 400 Cemfnh32.exe 2228 Cadfbi32.exe 2168 Djokgk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 b758ab496e065a5f11d4bfaab5fc5b30N.exe 1976 b758ab496e065a5f11d4bfaab5fc5b30N.exe 2336 Dnbdbomn.exe 2336 Dnbdbomn.exe 2972 Ekiaac32.exe 2972 Ekiaac32.exe 2704 Egobfdpi.exe 2704 Egobfdpi.exe 2880 Eqhfoj32.exe 2880 Eqhfoj32.exe 1036 Emcqpjhh.exe 1036 Emcqpjhh.exe 2612 Fbbfmqdm.exe 2612 Fbbfmqdm.exe 3068 Fjbdmbmb.exe 3068 Fjbdmbmb.exe 2956 Gfkagc32.exe 2956 Gfkagc32.exe 1388 Gdobqgpn.exe 1388 Gdobqgpn.exe 948 Gloppi32.exe 948 Gloppi32.exe 440 Hlamfh32.exe 440 Hlamfh32.exe 2928 Hilghaqq.exe 2928 Hilghaqq.exe 1768 Hgpgae32.exe 1768 Hgpgae32.exe 2508 Iomhkgkb.exe 2508 Iomhkgkb.exe 2208 Ipmeej32.exe 2208 Ipmeej32.exe 2156 Idagdm32.exe 2156 Idagdm32.exe 2272 Iqhhin32.exe 2272 Iqhhin32.exe 2400 Jqmadn32.exe 2400 Jqmadn32.exe 1124 Jcmjfiab.exe 1124 Jcmjfiab.exe 1672 Jodkkj32.exe 1672 Jodkkj32.exe 756 Kcbcah32.exe 756 Kcbcah32.exe 532 Kkpekjie.exe 532 Kkpekjie.exe 864 Kbjmhd32.exe 864 Kbjmhd32.exe 2296 Kjgoaflj.exe 2296 Kjgoaflj.exe 1736 Kemcookp.exe 1736 Kemcookp.exe 2164 Lcdmekne.exe 2164 Lcdmekne.exe 268 Mddidnqa.exe 268 Mddidnqa.exe 2428 Mpmfoodb.exe 2428 Mpmfoodb.exe 2372 Nldgdpjf.exe 2372 Nldgdpjf.exe 2600 Nlfdjphd.exe 2600 Nlfdjphd.exe 2904 Nhpadpke.exe 2904 Nhpadpke.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lkmpcpak.exe Lnipilbb.exe File created C:\Windows\SysWOW64\Kcojfnhc.dll Gbeakllj.exe File opened for modification C:\Windows\SysWOW64\Fahdja32.exe Fgbpmh32.exe File opened for modification C:\Windows\SysWOW64\Fblcaohd.exe Eidohiac.exe File created C:\Windows\SysWOW64\Lpnooe32.dll Pdlmnm32.exe File created C:\Windows\SysWOW64\Bkqnchgo.exe Bnmmjd32.exe File created C:\Windows\SysWOW64\Ainllp32.dll Dcjleq32.exe File created C:\Windows\SysWOW64\Cggnqmhb.dll Kbefen32.exe File opened for modification C:\Windows\SysWOW64\Kgienc32.exe Kqomai32.exe File created C:\Windows\SysWOW64\Fdgoff32.dll Fojnhlch.exe File created C:\Windows\SysWOW64\Iiepac32.dll Qlmnfh32.exe File created C:\Windows\SysWOW64\Pnphenic.dll Eqjenb32.exe File opened for modification C:\Windows\SysWOW64\Gegecopf.exe Fpjmkhbo.exe File created C:\Windows\SysWOW64\Ikaglgei.exe Ibibcanh.exe File created C:\Windows\SysWOW64\Kocobh32.dll Bciaqnje.exe File opened for modification C:\Windows\SysWOW64\Adjoqjfc.exe Ahcoli32.exe File opened for modification C:\Windows\SysWOW64\Ceclmc32.exe Bilkhbcl.exe File opened for modification C:\Windows\SysWOW64\Efqian32.exe Ejjhlmqa.exe File created C:\Windows\SysWOW64\Lnkjfcik.exe Lbdiabcg.exe File created C:\Windows\SysWOW64\Ikcbfb32.exe Iegjnkod.exe File created C:\Windows\SysWOW64\Dimlhgep.exe Dmfkcf32.exe File created C:\Windows\SysWOW64\Ppopgcbc.dll Bdiciboh.exe File opened for modification C:\Windows\SysWOW64\Bdiciboh.exe Ahbcda32.exe File created C:\Windows\SysWOW64\Bloglgcc.dll Fgmmnj32.exe File opened for modification C:\Windows\SysWOW64\Emcqpjhh.exe Eqhfoj32.exe File opened for modification C:\Windows\SysWOW64\Knicjipf.exe Khlkba32.exe File created C:\Windows\SysWOW64\Hjbncqkj.exe Hdeekjmc.exe File created C:\Windows\SysWOW64\Efqian32.exe Ejjhlmqa.exe File opened for modification C:\Windows\SysWOW64\Efeaqi32.exe Enjmlgoj.exe File created C:\Windows\SysWOW64\Dgcnihnn.exe Depelp32.exe File created C:\Windows\SysWOW64\Oheoaa32.exe Nipbpe32.exe File created C:\Windows\SysWOW64\Pdflopoa.exe Oeaoncjj.exe File created C:\Windows\SysWOW64\Lgcdkk32.dll Cmcjldbf.exe File opened for modification C:\Windows\SysWOW64\Kkpbbeda.exe Kmlbia32.exe File opened for modification C:\Windows\SysWOW64\Nmlgcbei.exe Ngpokkgb.exe File created C:\Windows\SysWOW64\Eidcdc32.dll Fogkhf32.exe File created C:\Windows\SysWOW64\Cpbfggdo.dll Minpeh32.exe File created C:\Windows\SysWOW64\Knhhkkbe.dll Ecggmfde.exe File opened for modification C:\Windows\SysWOW64\Lkblghdj.exe Lpmgioed.exe File opened for modification C:\Windows\SysWOW64\Gjmnmk32.exe Gpdide32.exe File created C:\Windows\SysWOW64\Iomhkgkb.exe Hgpgae32.exe File opened for modification C:\Windows\SysWOW64\Bjhjcm32.exe Bqpejh32.exe File opened for modification C:\Windows\SysWOW64\Ilicgl32.exe Incfhh32.exe File created C:\Windows\SysWOW64\Fgdjipfc.exe Fqjbme32.exe File opened for modification C:\Windows\SysWOW64\Gihdblpi.exe Gcnleahm.exe File created C:\Windows\SysWOW64\Lkjadh32.exe Lbbmlbej.exe File created C:\Windows\SysWOW64\Iiflgi32.exe Iehcajjc.exe File created C:\Windows\SysWOW64\Foekeq32.dll Bnmmjd32.exe File opened for modification C:\Windows\SysWOW64\Mkmlbc32.exe Minpeh32.exe File opened for modification C:\Windows\SysWOW64\Fhkffl32.exe Fieiephm.exe File created C:\Windows\SysWOW64\Cnfkoc32.dll Gobnljhp.exe File created C:\Windows\SysWOW64\Highje32.dll Lqknfq32.exe File opened for modification C:\Windows\SysWOW64\Acldpojj.exe Qakkncmi.exe File created C:\Windows\SysWOW64\Bffhjdki.dll Gbbnkfjq.exe File opened for modification C:\Windows\SysWOW64\Oeaoncjj.exe Olijen32.exe File created C:\Windows\SysWOW64\Nagielfp.dll Fknido32.exe File created C:\Windows\SysWOW64\Oodhca32.exe Oigokj32.exe File created C:\Windows\SysWOW64\Nlflmj32.dll Khlkba32.exe File created C:\Windows\SysWOW64\Ncfoko32.dll Ohifch32.exe File opened for modification C:\Windows\SysWOW64\Mdmdpd32.exe Mjdcofpe.exe File created C:\Windows\SysWOW64\Napdpchk.exe Nclcgoia.exe File opened for modification C:\Windows\SysWOW64\Ibmhlpge.exe Icgkkc32.exe File opened for modification C:\Windows\SysWOW64\Olpiig32.exe Oefqlmpq.exe File created C:\Windows\SysWOW64\Ebhlmlhl.exe Ehphdf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 868 3872 WerFault.exe 696 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbqaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfedobef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhejf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnpfagc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdidegec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnpdaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoofkgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gffmqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paldmbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnahoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibkdhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoncjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkqjlpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgphpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbedqcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcpfbhof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqlcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bilkhbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcppcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfoho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaepoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkimgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlblmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjheklqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnnicpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdicfbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejfelin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbninke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegecopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlamfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcjldbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlibhhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbpbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghekobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpajjmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhjjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemcookp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefqlmpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einljkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpgae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihgboc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnefpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbcah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilicgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldcjooac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjloanf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgebjfnh.dll" Mpkehbjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obllai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Benbbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofqhdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcinjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbfggdo.dll" Minpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogmaoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khmmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhijpea.dll" Ljogknmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdolc32.dll" Chldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeaoncjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbfmqdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpiadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbnlia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llkijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjfpp32.dll" Plmdqmpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbqaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daognhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjmgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkflp32.dll" Oejfelin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgkkdnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgeffnb.dll" Ecidbfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gobnljhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhogompl.dll" Ikafpbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goepdd32.dll" Pkeppngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onelbfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aobblkkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqaigijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imknbfaj.dll" Fkhkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnalihff.dll" Ekiaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niednn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjheklqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnodob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfddfjmg.dll" Hjbncqkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciekbj32.dll" Iapghlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpbkca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmdqmpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioopon32.dll" Kchfpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcgia32.dll" Elpnoebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcjkjmo.dll" Hgpgae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfnep32.dll" Miciqgqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfadgqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdidegec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbjgp32.dll" Bpbadcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pncgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cknikooe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2336 1976 b758ab496e065a5f11d4bfaab5fc5b30N.exe 29 PID 1976 wrote to memory of 2336 1976 b758ab496e065a5f11d4bfaab5fc5b30N.exe 29 PID 1976 wrote to memory of 2336 1976 b758ab496e065a5f11d4bfaab5fc5b30N.exe 29 PID 1976 wrote to memory of 2336 1976 b758ab496e065a5f11d4bfaab5fc5b30N.exe 29 PID 2336 wrote to memory of 2972 2336 Dnbdbomn.exe 30 PID 2336 wrote to memory of 2972 2336 Dnbdbomn.exe 30 PID 2336 wrote to memory of 2972 2336 Dnbdbomn.exe 30 PID 2336 wrote to memory of 2972 2336 Dnbdbomn.exe 30 PID 2972 wrote to memory of 2704 2972 Ekiaac32.exe 31 PID 2972 wrote to memory of 2704 2972 Ekiaac32.exe 31 PID 2972 wrote to memory of 2704 2972 Ekiaac32.exe 31 PID 2972 wrote to memory of 2704 2972 Ekiaac32.exe 31 PID 2704 wrote to memory of 2880 2704 Egobfdpi.exe 32 PID 2704 wrote to memory of 2880 2704 Egobfdpi.exe 32 PID 2704 wrote to memory of 2880 2704 Egobfdpi.exe 32 PID 2704 wrote to memory of 2880 2704 Egobfdpi.exe 32 PID 2880 wrote to memory of 1036 2880 Eqhfoj32.exe 33 PID 2880 wrote to memory of 1036 2880 Eqhfoj32.exe 33 PID 2880 wrote to memory of 1036 2880 Eqhfoj32.exe 33 PID 2880 wrote to memory of 1036 2880 Eqhfoj32.exe 33 PID 1036 wrote to memory of 2612 1036 Emcqpjhh.exe 34 PID 1036 wrote to memory of 2612 1036 Emcqpjhh.exe 34 PID 1036 wrote to memory of 2612 1036 Emcqpjhh.exe 34 PID 1036 wrote to memory of 2612 1036 Emcqpjhh.exe 34 PID 2612 wrote to memory of 3068 2612 Fbbfmqdm.exe 35 PID 2612 wrote to memory of 3068 2612 Fbbfmqdm.exe 35 PID 2612 wrote to memory of 3068 2612 Fbbfmqdm.exe 35 PID 2612 wrote to memory of 3068 2612 Fbbfmqdm.exe 35 PID 3068 wrote to memory of 2956 3068 Fjbdmbmb.exe 36 PID 3068 wrote to memory of 2956 3068 Fjbdmbmb.exe 36 PID 3068 wrote to memory of 2956 3068 Fjbdmbmb.exe 36 PID 3068 wrote to memory of 2956 3068 Fjbdmbmb.exe 36 PID 2956 wrote to memory of 1388 2956 Gfkagc32.exe 37 PID 2956 wrote to memory of 1388 2956 Gfkagc32.exe 37 PID 2956 wrote to memory of 1388 2956 Gfkagc32.exe 37 PID 2956 wrote to memory of 1388 2956 Gfkagc32.exe 37 PID 1388 wrote to memory of 948 1388 Gdobqgpn.exe 38 PID 1388 wrote to memory of 948 1388 Gdobqgpn.exe 38 PID 1388 wrote to memory of 948 1388 Gdobqgpn.exe 38 PID 1388 wrote to memory of 948 1388 Gdobqgpn.exe 38 PID 948 wrote to memory of 440 948 Gloppi32.exe 39 PID 948 wrote to memory of 440 948 Gloppi32.exe 39 PID 948 wrote to memory of 440 948 Gloppi32.exe 39 PID 948 wrote to memory of 440 948 Gloppi32.exe 39 PID 440 wrote to memory of 2928 440 Hlamfh32.exe 40 PID 440 wrote to memory of 2928 440 Hlamfh32.exe 40 PID 440 wrote to memory of 2928 440 Hlamfh32.exe 40 PID 440 wrote to memory of 2928 440 Hlamfh32.exe 40 PID 2928 wrote to memory of 1768 2928 Hilghaqq.exe 41 PID 2928 wrote to memory of 1768 2928 Hilghaqq.exe 41 PID 2928 wrote to memory of 1768 2928 Hilghaqq.exe 41 PID 2928 wrote to memory of 1768 2928 Hilghaqq.exe 41 PID 1768 wrote to memory of 2508 1768 Hgpgae32.exe 42 PID 1768 wrote to memory of 2508 1768 Hgpgae32.exe 42 PID 1768 wrote to memory of 2508 1768 Hgpgae32.exe 42 PID 1768 wrote to memory of 2508 1768 Hgpgae32.exe 42 PID 2508 wrote to memory of 2208 2508 Iomhkgkb.exe 43 PID 2508 wrote to memory of 2208 2508 Iomhkgkb.exe 43 PID 2508 wrote to memory of 2208 2508 Iomhkgkb.exe 43 PID 2508 wrote to memory of 2208 2508 Iomhkgkb.exe 43 PID 2208 wrote to memory of 2156 2208 Ipmeej32.exe 44 PID 2208 wrote to memory of 2156 2208 Ipmeej32.exe 44 PID 2208 wrote to memory of 2156 2208 Ipmeej32.exe 44 PID 2208 wrote to memory of 2156 2208 Ipmeej32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b758ab496e065a5f11d4bfaab5fc5b30N.exe"C:\Users\Admin\AppData\Local\Temp\b758ab496e065a5f11d4bfaab5fc5b30N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ekiaac32.exeC:\Windows\system32\Ekiaac32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Gfkagc32.exeC:\Windows\system32\Gfkagc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe34⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe35⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe38⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe39⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe41⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe44⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe46⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe47⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe48⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Ahbcda32.exeC:\Windows\system32\Ahbcda32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe51⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe52⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe54⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe58⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe59⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe60⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe61⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\SysWOW64\Cadfbi32.exeC:\Windows\system32\Cadfbi32.exe64⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe66⤵PID:2144
-
C:\Windows\SysWOW64\Dcgppana.exeC:\Windows\system32\Dcgppana.exe67⤵PID:460
-
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe69⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe70⤵PID:2980
-
C:\Windows\SysWOW64\Dghekobe.exeC:\Windows\system32\Dghekobe.exe71⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Dldndf32.exeC:\Windows\system32\Dldndf32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Docjpa32.exeC:\Windows\system32\Docjpa32.exe73⤵PID:1604
-
C:\Windows\SysWOW64\Dlgjie32.exeC:\Windows\system32\Dlgjie32.exe74⤵PID:1852
-
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe75⤵PID:2768
-
C:\Windows\SysWOW64\Ehnknfdn.exeC:\Windows\system32\Ehnknfdn.exe76⤵PID:2840
-
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe78⤵PID:2948
-
C:\Windows\SysWOW64\Egedebgc.exeC:\Windows\system32\Egedebgc.exe79⤵PID:2524
-
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe80⤵PID:1516
-
C:\Windows\SysWOW64\Fglkeaqk.exeC:\Windows\system32\Fglkeaqk.exe81⤵PID:1556
-
C:\Windows\SysWOW64\Fipdci32.exeC:\Windows\system32\Fipdci32.exe82⤵PID:2344
-
C:\Windows\SysWOW64\Fnoiqpqk.exeC:\Windows\system32\Fnoiqpqk.exe83⤵PID:2236
-
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe84⤵PID:2476
-
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe85⤵PID:1104
-
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe86⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Gnfoao32.exeC:\Windows\system32\Gnfoao32.exe87⤵PID:1004
-
C:\Windows\SysWOW64\Gfadeaho.exeC:\Windows\system32\Gfadeaho.exe88⤵PID:2412
-
C:\Windows\SysWOW64\Gnhlgoia.exeC:\Windows\system32\Gnhlgoia.exe89⤵PID:1908
-
C:\Windows\SysWOW64\Gfcqkafl.exeC:\Windows\system32\Gfcqkafl.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe91⤵PID:2724
-
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Hakani32.exeC:\Windows\system32\Hakani32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe94⤵PID:2216
-
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe95⤵PID:2852
-
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe96⤵PID:1080
-
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Hohhfbkl.exeC:\Windows\system32\Hohhfbkl.exe98⤵PID:676
-
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe99⤵PID:2292
-
C:\Windows\SysWOW64\Idgmch32.exeC:\Windows\system32\Idgmch32.exe100⤵PID:2180
-
C:\Windows\SysWOW64\Ikafpbon.exeC:\Windows\system32\Ikafpbon.exe101⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Iegjnkod.exeC:\Windows\system32\Iegjnkod.exe102⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Ikcbfb32.exeC:\Windows\system32\Ikcbfb32.exe103⤵PID:2528
-
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe104⤵PID:2804
-
C:\Windows\SysWOW64\Ikfokb32.exeC:\Windows\system32\Ikfokb32.exe105⤵PID:1460
-
C:\Windows\SysWOW64\Iapghlbe.exeC:\Windows\system32\Iapghlbe.exe106⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ilihij32.exeC:\Windows\system32\Ilihij32.exe107⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Iebmaoed.exeC:\Windows\system32\Iebmaoed.exe108⤵PID:2184
-
C:\Windows\SysWOW64\Jojaje32.exeC:\Windows\system32\Jojaje32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe110⤵PID:2420
-
C:\Windows\SysWOW64\Jfffmo32.exeC:\Windows\system32\Jfffmo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Jkcoee32.exeC:\Windows\system32\Jkcoee32.exe112⤵PID:1936
-
C:\Windows\SysWOW64\Jhgonj32.exeC:\Windows\system32\Jhgonj32.exe113⤵PID:3012
-
C:\Windows\SysWOW64\Jndgfqlh.exeC:\Windows\system32\Jndgfqlh.exe114⤵PID:1652
-
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Kgoief32.exeC:\Windows\system32\Kgoief32.exe116⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Kdcinjpo.exeC:\Windows\system32\Kdcinjpo.exe117⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Kkmakd32.exeC:\Windows\system32\Kkmakd32.exe118⤵PID:3052
-
C:\Windows\SysWOW64\Kchfpf32.exeC:\Windows\system32\Kchfpf32.exe119⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Knmjmodm.exeC:\Windows\system32\Knmjmodm.exe120⤵PID:2776
-
C:\Windows\SysWOW64\Kgfoee32.exeC:\Windows\system32\Kgfoee32.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-