Analysis
-
max time kernel
58s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 18:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe
-
Size
59KB
-
MD5
cd665f756c5e3cc88723fb39a951f093
-
SHA1
5c7532bc9552b5b8183ed75943c53e9c48814221
-
SHA256
0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b
-
SHA512
cff8b0f88efa83829e284399b231d1ca8ca81600feb6a9822a8c41cccda7f380d1cd8813d17780c243a5e6ea24bd9117a5cc834cf482fff4ec884604589a938e
-
SSDEEP
768:Hzabc8fOoUzpBh3IVxeobaNXyFHRNnB5hdAEJZ/1H5zr5nf1fZMEBFELvkVgFR:H2bc8fOokHUxQSljdlB9FNCyVs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkbac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiafk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacknfhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjebbkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqojpqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohhmbjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddeifgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkddkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfidhcbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmokomm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiohob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdffmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnfof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikjcikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqhon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfglcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijipbchn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deficgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnclbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edbjljpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddhknpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqlfpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqocej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkcpndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfhhicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngecbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhapfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjcllq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnpjnem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjppclkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmkeoekf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelcjkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnnipnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbknkbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mljnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbhpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkjhpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnkgjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkedemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepccldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maldcblg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klniao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oamcjgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokdbahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nllafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgedlbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gniqhpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhdfhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeqmek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpfheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcjchco.exe -
Executes dropped EXE 64 IoCs
pid Process 2872 Ojpedn32.exe 2748 Obkjhpjj.exe 2664 Oobkna32.exe 2828 Oelcjkgk.exe 2484 Olhhmele.exe 1744 Oeqmek32.exe 2824 Pgdfbb32.exe 2156 Pieodn32.exe 1380 Pdjcaf32.exe 272 Pdmpgfae.exe 396 Pijhompm.exe 2600 Pofqhdnd.exe 1700 Qpfmageg.exe 684 Qokjcc32.exe 2368 Akbkhd32.exe 2072 Aalcdngp.exe 2024 Abnpjnem.exe 1096 Agkhbece.exe 2376 Adoili32.exe 2184 Angmdoho.exe 1800 Ajnnipnc.exe 2956 Bjqjoolp.exe 2424 Bqjcli32.exe 808 Bmacqj32.exe 368 Bkfqbgni.exe 2328 Bijakkmc.exe 2684 Bimnqk32.exe 2792 Cgbjbgph.exe 2768 Cefkkk32.exe 2108 Cfidhcbm.exe 2560 Caohfl32.exe 2968 Clhifj32.exe 2032 Dmhfpmee.exe 588 Doibhekc.exe 2952 Dbgknc32.exe 548 Dhdcfj32.exe 1708 Dbihccpg.exe 1456 Dglmmf32.exe 472 Edpnfjap.exe 1232 Emhbop32.exe 1108 Edbjljpm.exe 1084 Egpfheoa.exe 2352 Emjoep32.exe 2216 Ephkak32.exe 2212 Ecggmfde.exe 2064 Epkhfkco.exe 920 Gobnljhp.exe 1552 Gflfidpl.exe 1124 Gfobndnj.exe 3024 Ghmokomm.exe 2196 Gcbchhmc.exe 2888 Hnoane32.exe 1880 Hggegknp.exe 2816 Hqojpqdp.exe 2132 Hncjiecj.exe 2820 Haafepbn.exe 2732 Hglobj32.exe 2532 Hmhgjahb.exe 2628 Hgnkgjgh.exe 1624 Hiohob32.exe 644 Ibglhhdf.exe 1920 Iiaddb32.exe 2852 Ipkmal32.exe 2924 Iidajaiq.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe 2256 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe 2872 Ojpedn32.exe 2872 Ojpedn32.exe 2748 Obkjhpjj.exe 2748 Obkjhpjj.exe 2664 Oobkna32.exe 2664 Oobkna32.exe 2828 Oelcjkgk.exe 2828 Oelcjkgk.exe 2484 Olhhmele.exe 2484 Olhhmele.exe 1744 Oeqmek32.exe 1744 Oeqmek32.exe 2824 Pgdfbb32.exe 2824 Pgdfbb32.exe 2156 Pieodn32.exe 2156 Pieodn32.exe 1380 Pdjcaf32.exe 1380 Pdjcaf32.exe 272 Pdmpgfae.exe 272 Pdmpgfae.exe 396 Pijhompm.exe 396 Pijhompm.exe 2600 Pofqhdnd.exe 2600 Pofqhdnd.exe 1700 Qpfmageg.exe 1700 Qpfmageg.exe 684 Qokjcc32.exe 684 Qokjcc32.exe 2368 Akbkhd32.exe 2368 Akbkhd32.exe 2072 Aalcdngp.exe 2072 Aalcdngp.exe 2024 Abnpjnem.exe 2024 Abnpjnem.exe 1096 Agkhbece.exe 1096 Agkhbece.exe 2376 Adoili32.exe 2376 Adoili32.exe 2184 Angmdoho.exe 2184 Angmdoho.exe 1800 Ajnnipnc.exe 1800 Ajnnipnc.exe 2956 Bjqjoolp.exe 2956 Bjqjoolp.exe 2424 Bqjcli32.exe 2424 Bqjcli32.exe 808 Bmacqj32.exe 808 Bmacqj32.exe 368 Bkfqbgni.exe 368 Bkfqbgni.exe 2328 Bijakkmc.exe 2328 Bijakkmc.exe 2684 Bimnqk32.exe 2684 Bimnqk32.exe 2792 Cgbjbgph.exe 2792 Cgbjbgph.exe 2768 Cefkkk32.exe 2768 Cefkkk32.exe 2108 Cfidhcbm.exe 2108 Cfidhcbm.exe 2560 Caohfl32.exe 2560 Caohfl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dhlkbbnm.dll Nfbogh32.exe File opened for modification C:\Windows\SysWOW64\Alpmep32.exe Aollklac.exe File created C:\Windows\SysWOW64\Imblii32.exe Ibmhlpge.exe File opened for modification C:\Windows\SysWOW64\Pgdfbb32.exe Oeqmek32.exe File created C:\Windows\SysWOW64\Djdenoif.exe Dmpedk32.exe File opened for modification C:\Windows\SysWOW64\Kfpmfgpn.exe Jjkmhbek.exe File created C:\Windows\SysWOW64\Cpepmfcm.dll Jjkmhbek.exe File created C:\Windows\SysWOW64\Iohiafag.exe Iinadl32.exe File opened for modification C:\Windows\SysWOW64\Nihedodm.exe Nkddkk32.exe File opened for modification C:\Windows\SysWOW64\Adagjagp.exe Aacknfhl.exe File opened for modification C:\Windows\SysWOW64\Ipkmal32.exe Iiaddb32.exe File created C:\Windows\SysWOW64\Ihlcbpie.dll Oamcjgmi.exe File created C:\Windows\SysWOW64\Fpqjeiji.exe Eheeqgmn.exe File created C:\Windows\SysWOW64\Hdebhahh.dll Gniqhpgi.exe File opened for modification C:\Windows\SysWOW64\Khdjfpfg.exe Kajbie32.exe File created C:\Windows\SysWOW64\Elhokg32.exe Djdenoif.exe File created C:\Windows\SysWOW64\Pflnlj32.exe Ppafopqq.exe File created C:\Windows\SysWOW64\Fpkfng32.exe Fknnfp32.exe File created C:\Windows\SysWOW64\Fdapqgom.exe Fmggdm32.exe File created C:\Windows\SysWOW64\Opdffmlb.exe Oflbmg32.exe File created C:\Windows\SysWOW64\Aollklac.exe Qhadob32.exe File created C:\Windows\SysWOW64\Obhfhj32.exe Nipbpe32.exe File created C:\Windows\SysWOW64\Mqcnjnol.exe Mdmmemih.exe File created C:\Windows\SysWOW64\Bnlihgln.exe Bphhobmd.exe File opened for modification C:\Windows\SysWOW64\Edbjljpm.exe Emhbop32.exe File created C:\Windows\SysWOW64\Effnfo32.dll Ngecbndm.exe File created C:\Windows\SysWOW64\Ojpedn32.exe 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe File created C:\Windows\SysWOW64\Ijbjbdnf.exe Iianjl32.exe File created C:\Windows\SysWOW64\Aalemg32.exe Aonial32.exe File created C:\Windows\SysWOW64\Clncfhep.dll Dmkeoekf.exe File created C:\Windows\SysWOW64\Epkhfkco.exe Ecggmfde.exe File created C:\Windows\SysWOW64\Ejoagm32.exe Eafmng32.exe File created C:\Windows\SysWOW64\Jebjijqa.exe Jkjfpe32.exe File created C:\Windows\SysWOW64\Hgnkgjgh.exe Hmhgjahb.exe File created C:\Windows\SysWOW64\Negaeied.dll Odqiaa32.exe File created C:\Windows\SysWOW64\Jeaiel32.dll Bgemal32.exe File opened for modification C:\Windows\SysWOW64\Hdpadg32.exe Hnfigmhk.exe File opened for modification C:\Windows\SysWOW64\Ggmlffbo.exe Gdnojkck.exe File opened for modification C:\Windows\SysWOW64\Phpkjoim.exe Opdffmlb.exe File opened for modification C:\Windows\SysWOW64\Eheeqgmn.exe Eloekf32.exe File created C:\Windows\SysWOW64\Lhcpkmef.exe Lnnkmdfq.exe File created C:\Windows\SysWOW64\Mjnohc32.exe Mljnoo32.exe File created C:\Windows\SysWOW64\Jngeafln.dll Palincli.exe File opened for modification C:\Windows\SysWOW64\Emojih32.exe Edgfpbcl.exe File opened for modification C:\Windows\SysWOW64\Iidajaiq.exe Ipkmal32.exe File created C:\Windows\SysWOW64\Njeijc32.dll Bgjngb32.exe File created C:\Windows\SysWOW64\Fokqae32.exe Fdapqgom.exe File created C:\Windows\SysWOW64\Ojhaie32.dll Ggmlffbo.exe File opened for modification C:\Windows\SysWOW64\Ijacgnjj.exe Icgkkc32.exe File opened for modification C:\Windows\SysWOW64\Nngjbfpa.exe Ncafemqk.exe File created C:\Windows\SysWOW64\Aaobcg32.exe Ahfmjafa.exe File opened for modification C:\Windows\SysWOW64\Ejjhlmqa.exe Eempcfbi.exe File created C:\Windows\SysWOW64\Hnclbn32.exe Hhgdig32.exe File created C:\Windows\SysWOW64\Obkjhpjj.exe Ojpedn32.exe File opened for modification C:\Windows\SysWOW64\Iiaddb32.exe Ibglhhdf.exe File opened for modification C:\Windows\SysWOW64\Kedaddif.exe Kpgiln32.exe File created C:\Windows\SysWOW64\Bgedlbfj.exe Bfdhdj32.exe File created C:\Windows\SysWOW64\Abkdac32.dll Aollklac.exe File created C:\Windows\SysWOW64\Gcbchhmc.exe Ghmokomm.exe File created C:\Windows\SysWOW64\Oeigiqba.dll Hnoane32.exe File created C:\Windows\SysWOW64\Jbnogjqj.exe Jkcjchco.exe File created C:\Windows\SysWOW64\Oboldi32.dll Lhicao32.exe File created C:\Windows\SysWOW64\Fpaneb32.dll Fddeifgj.exe File opened for modification C:\Windows\SysWOW64\Hcmoafph.exe Hqocej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4104 3908 WerFault.exe 365 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlihgln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfanlpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caohfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflfidpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhokg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnhoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmacqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqojpqdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppafopqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknnfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfmageg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkechk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmibdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddeifgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijhompm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkcpndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdcfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klipfpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhklfbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omodibcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbhfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbboakna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkfqbgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpnfjap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnogjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjqkhkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqlfpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalemg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamcjgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqpejh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndfclia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlhpiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbncqkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhpiapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adoili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhfpmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkedemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkocgape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajlidnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpfheoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnffoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhicao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfidhcbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdapqgom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganfhpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpgfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobhgno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjhlqbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khdjfpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhhicd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adailn32.dll" Jahieboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klniao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhklfbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgklpnpf.dll" Dnkhcnfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmnonqce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkcdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjefcgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgnqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmefidoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhadob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjmml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gickgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omddohbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcanlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pajlidnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdnkl32.dll" Ppafopqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoipflcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emojih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oknqkmgf.dll" Mqkked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeffdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Minika32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqocej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcomf32.dll" Nfglcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaaohfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiimnjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmhfpmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnffoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnogjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpccn32.dll" Ljjpighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhnkqba.dll" Hjbncqkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edbjljpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnoane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqpij32.dll" Lffjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqkked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgedlbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpepmfcm.dll" Jjkmhbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maldcblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpcnnah.dll" Gjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbihccpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkdhohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnicgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eempcfbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doibhekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdjc32.dll" Bhkcdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddeifgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiimnjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjqjoolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnfdpgo.dll" Gknjecab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akbkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkhbece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkocgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koamka32.dll" Eheeqgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohqejchc.dll" Mmmkdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opdffmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmahlog.dll" Ldpdfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgglai32.dll" Nfoinj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbmann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eofkgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjqkhkq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2872 2256 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe 29 PID 2256 wrote to memory of 2872 2256 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe 29 PID 2256 wrote to memory of 2872 2256 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe 29 PID 2256 wrote to memory of 2872 2256 0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe 29 PID 2872 wrote to memory of 2748 2872 Ojpedn32.exe 30 PID 2872 wrote to memory of 2748 2872 Ojpedn32.exe 30 PID 2872 wrote to memory of 2748 2872 Ojpedn32.exe 30 PID 2872 wrote to memory of 2748 2872 Ojpedn32.exe 30 PID 2748 wrote to memory of 2664 2748 Obkjhpjj.exe 31 PID 2748 wrote to memory of 2664 2748 Obkjhpjj.exe 31 PID 2748 wrote to memory of 2664 2748 Obkjhpjj.exe 31 PID 2748 wrote to memory of 2664 2748 Obkjhpjj.exe 31 PID 2664 wrote to memory of 2828 2664 Oobkna32.exe 32 PID 2664 wrote to memory of 2828 2664 Oobkna32.exe 32 PID 2664 wrote to memory of 2828 2664 Oobkna32.exe 32 PID 2664 wrote to memory of 2828 2664 Oobkna32.exe 32 PID 2828 wrote to memory of 2484 2828 Oelcjkgk.exe 33 PID 2828 wrote to memory of 2484 2828 Oelcjkgk.exe 33 PID 2828 wrote to memory of 2484 2828 Oelcjkgk.exe 33 PID 2828 wrote to memory of 2484 2828 Oelcjkgk.exe 33 PID 2484 wrote to memory of 1744 2484 Olhhmele.exe 34 PID 2484 wrote to memory of 1744 2484 Olhhmele.exe 34 PID 2484 wrote to memory of 1744 2484 Olhhmele.exe 34 PID 2484 wrote to memory of 1744 2484 Olhhmele.exe 34 PID 1744 wrote to memory of 2824 1744 Oeqmek32.exe 35 PID 1744 wrote to memory of 2824 1744 Oeqmek32.exe 35 PID 1744 wrote to memory of 2824 1744 Oeqmek32.exe 35 PID 1744 wrote to memory of 2824 1744 Oeqmek32.exe 35 PID 2824 wrote to memory of 2156 2824 Pgdfbb32.exe 36 PID 2824 wrote to memory of 2156 2824 Pgdfbb32.exe 36 PID 2824 wrote to memory of 2156 2824 Pgdfbb32.exe 36 PID 2824 wrote to memory of 2156 2824 Pgdfbb32.exe 36 PID 2156 wrote to memory of 1380 2156 Pieodn32.exe 37 PID 2156 wrote to memory of 1380 2156 Pieodn32.exe 37 PID 2156 wrote to memory of 1380 2156 Pieodn32.exe 37 PID 2156 wrote to memory of 1380 2156 Pieodn32.exe 37 PID 1380 wrote to memory of 272 1380 Pdjcaf32.exe 38 PID 1380 wrote to memory of 272 1380 Pdjcaf32.exe 38 PID 1380 wrote to memory of 272 1380 Pdjcaf32.exe 38 PID 1380 wrote to memory of 272 1380 Pdjcaf32.exe 38 PID 272 wrote to memory of 396 272 Pdmpgfae.exe 39 PID 272 wrote to memory of 396 272 Pdmpgfae.exe 39 PID 272 wrote to memory of 396 272 Pdmpgfae.exe 39 PID 272 wrote to memory of 396 272 Pdmpgfae.exe 39 PID 396 wrote to memory of 2600 396 Pijhompm.exe 40 PID 396 wrote to memory of 2600 396 Pijhompm.exe 40 PID 396 wrote to memory of 2600 396 Pijhompm.exe 40 PID 396 wrote to memory of 2600 396 Pijhompm.exe 40 PID 2600 wrote to memory of 1700 2600 Pofqhdnd.exe 41 PID 2600 wrote to memory of 1700 2600 Pofqhdnd.exe 41 PID 2600 wrote to memory of 1700 2600 Pofqhdnd.exe 41 PID 2600 wrote to memory of 1700 2600 Pofqhdnd.exe 41 PID 1700 wrote to memory of 684 1700 Qpfmageg.exe 42 PID 1700 wrote to memory of 684 1700 Qpfmageg.exe 42 PID 1700 wrote to memory of 684 1700 Qpfmageg.exe 42 PID 1700 wrote to memory of 684 1700 Qpfmageg.exe 42 PID 684 wrote to memory of 2368 684 Qokjcc32.exe 43 PID 684 wrote to memory of 2368 684 Qokjcc32.exe 43 PID 684 wrote to memory of 2368 684 Qokjcc32.exe 43 PID 684 wrote to memory of 2368 684 Qokjcc32.exe 43 PID 2368 wrote to memory of 2072 2368 Akbkhd32.exe 44 PID 2368 wrote to memory of 2072 2368 Akbkhd32.exe 44 PID 2368 wrote to memory of 2072 2368 Akbkhd32.exe 44 PID 2368 wrote to memory of 2072 2368 Akbkhd32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe"C:\Users\Admin\AppData\Local\Temp\0d2aa44e5a779ecd0c6b1bc3adcd3cd6ab85c97527e7ea1bd3b201c3e2d8583b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Ojpedn32.exeC:\Windows\system32\Ojpedn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Obkjhpjj.exeC:\Windows\system32\Obkjhpjj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Oobkna32.exeC:\Windows\system32\Oobkna32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Oelcjkgk.exeC:\Windows\system32\Oelcjkgk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Olhhmele.exeC:\Windows\system32\Olhhmele.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Oeqmek32.exeC:\Windows\system32\Oeqmek32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Pieodn32.exeC:\Windows\system32\Pieodn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Pijhompm.exeC:\Windows\system32\Pijhompm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Pofqhdnd.exeC:\Windows\system32\Pofqhdnd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Qpfmageg.exeC:\Windows\system32\Qpfmageg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Qokjcc32.exeC:\Windows\system32\Qokjcc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Akbkhd32.exeC:\Windows\system32\Akbkhd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Aalcdngp.exeC:\Windows\system32\Aalcdngp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Abnpjnem.exeC:\Windows\system32\Abnpjnem.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Adoili32.exeC:\Windows\system32\Adoili32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Ajnnipnc.exeC:\Windows\system32\Ajnnipnc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Bjqjoolp.exeC:\Windows\system32\Bjqjoolp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Bmacqj32.exeC:\Windows\system32\Bmacqj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Bkfqbgni.exeC:\Windows\system32\Bkfqbgni.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Bijakkmc.exeC:\Windows\system32\Bijakkmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Bimnqk32.exeC:\Windows\system32\Bimnqk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Cgbjbgph.exeC:\Windows\system32\Cgbjbgph.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Cfidhcbm.exeC:\Windows\system32\Cfidhcbm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Caohfl32.exeC:\Windows\system32\Caohfl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Clhifj32.exeC:\Windows\system32\Clhifj32.exe33⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Dmhfpmee.exeC:\Windows\system32\Dmhfpmee.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Dbgknc32.exeC:\Windows\system32\Dbgknc32.exe36⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Dhdcfj32.exeC:\Windows\system32\Dhdcfj32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Dbihccpg.exeC:\Windows\system32\Dbihccpg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Dglmmf32.exeC:\Windows\system32\Dglmmf32.exe39⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Edpnfjap.exeC:\Windows\system32\Edpnfjap.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:472 -
C:\Windows\SysWOW64\Emhbop32.exeC:\Windows\system32\Emhbop32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Edbjljpm.exeC:\Windows\system32\Edbjljpm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Egpfheoa.exeC:\Windows\system32\Egpfheoa.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Emjoep32.exeC:\Windows\system32\Emjoep32.exe44⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ephkak32.exeC:\Windows\system32\Ephkak32.exe45⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ecggmfde.exeC:\Windows\system32\Ecggmfde.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Epkhfkco.exeC:\Windows\system32\Epkhfkco.exe47⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe48⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Gflfidpl.exeC:\Windows\system32\Gflfidpl.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Gfobndnj.exeC:\Windows\system32\Gfobndnj.exe50⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ghmokomm.exeC:\Windows\system32\Ghmokomm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Gcbchhmc.exeC:\Windows\system32\Gcbchhmc.exe52⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Hnoane32.exeC:\Windows\system32\Hnoane32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Hggegknp.exeC:\Windows\system32\Hggegknp.exe54⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Hqojpqdp.exeC:\Windows\system32\Hqojpqdp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Hncjiecj.exeC:\Windows\system32\Hncjiecj.exe56⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe57⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Hglobj32.exeC:\Windows\system32\Hglobj32.exe58⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Hgnkgjgh.exeC:\Windows\system32\Hgnkgjgh.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Hiohob32.exeC:\Windows\system32\Hiohob32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ibglhhdf.exeC:\Windows\system32\Ibglhhdf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Iiaddb32.exeC:\Windows\system32\Iiaddb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Iidajaiq.exeC:\Windows\system32\Iidajaiq.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Ipnigl32.exeC:\Windows\system32\Ipnigl32.exe66⤵PID:2736
-
C:\Windows\SysWOW64\Iekbob32.exeC:\Windows\system32\Iekbob32.exe67⤵PID:600
-
C:\Windows\SysWOW64\Ibobhgno.exeC:\Windows\system32\Ibobhgno.exe68⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Iihkea32.exeC:\Windows\system32\Iihkea32.exe69⤵PID:2348
-
C:\Windows\SysWOW64\Ipbcbkmh.exeC:\Windows\system32\Ipbcbkmh.exe70⤵PID:2096
-
C:\Windows\SysWOW64\Iacojc32.exeC:\Windows\system32\Iacojc32.exe71⤵PID:1464
-
C:\Windows\SysWOW64\Johpcgap.exeC:\Windows\system32\Johpcgap.exe72⤵PID:1200
-
C:\Windows\SysWOW64\Jddhknpg.exeC:\Windows\system32\Jddhknpg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Jahieboa.exeC:\Windows\system32\Jahieboa.exe74⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Jdgeanne.exeC:\Windows\system32\Jdgeanne.exe75⤵PID:3032
-
C:\Windows\SysWOW64\Jpnffoci.exeC:\Windows\system32\Jpnffoci.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Jkcjchco.exeC:\Windows\system32\Jkcjchco.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Jbnogjqj.exeC:\Windows\system32\Jbnogjqj.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Jpboan32.exeC:\Windows\system32\Jpboan32.exe79⤵PID:3008
-
C:\Windows\SysWOW64\Klipfpeh.exeC:\Windows\system32\Klipfpeh.exe80⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Koglbkdl.exeC:\Windows\system32\Koglbkdl.exe81⤵PID:1712
-
C:\Windows\SysWOW64\Kimpocda.exeC:\Windows\system32\Kimpocda.exe82⤵PID:1504
-
C:\Windows\SysWOW64\Kpgiln32.exeC:\Windows\system32\Kpgiln32.exe83⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kedaddif.exeC:\Windows\system32\Kedaddif.exe84⤵PID:3028
-
C:\Windows\SysWOW64\Klniao32.exeC:\Windows\system32\Klniao32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Khdjfpfg.exeC:\Windows\system32\Khdjfpfg.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Kehjpd32.exeC:\Windows\system32\Kehjpd32.exe88⤵PID:1384
-
C:\Windows\SysWOW64\Kkechk32.exeC:\Windows\system32\Kkechk32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Lpbkpa32.exeC:\Windows\system32\Lpbkpa32.exe90⤵PID:2344
-
C:\Windows\SysWOW64\Lhicao32.exeC:\Windows\system32\Lhicao32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Ljjpighp.exeC:\Windows\system32\Ljjpighp.exe92⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ldpdfp32.exeC:\Windows\system32\Ldpdfp32.exe93⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Lgnqbl32.exeC:\Windows\system32\Lgnqbl32.exe94⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Ljmmng32.exeC:\Windows\system32\Ljmmng32.exe95⤵PID:1860
-
C:\Windows\SysWOW64\Lpgekanj.exeC:\Windows\system32\Lpgekanj.exe96⤵PID:2716
-
C:\Windows\SysWOW64\Lnkedemc.exeC:\Windows\system32\Lnkedemc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Lffjih32.exeC:\Windows\system32\Lffjih32.exe98⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Llpbeaak.exeC:\Windows\system32\Llpbeaak.exe99⤵PID:2008
-
C:\Windows\SysWOW64\Lfhgng32.exeC:\Windows\system32\Lfhgng32.exe100⤵PID:608
-
C:\Windows\SysWOW64\Mhfckc32.exeC:\Windows\system32\Mhfckc32.exe101⤵PID:2916
-
C:\Windows\SysWOW64\Mclghl32.exeC:\Windows\system32\Mclghl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:300 -
C:\Windows\SysWOW64\Mhippbem.exeC:\Windows\system32\Mhippbem.exe103⤵PID:2068
-
C:\Windows\SysWOW64\Mnfhhicd.exeC:\Windows\system32\Mnfhhicd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Mhklfbcj.exeC:\Windows\system32\Mhklfbcj.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Mnheniaa.exeC:\Windows\system32\Mnheniaa.exe106⤵PID:2784
-
C:\Windows\SysWOW64\Minika32.exeC:\Windows\system32\Minika32.exe107⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Mbfndggh.exeC:\Windows\system32\Mbfndggh.exe108⤵PID:2652
-
C:\Windows\SysWOW64\Mgcflnfp.exeC:\Windows\system32\Mgcflnfp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Mqkked32.exeC:\Windows\system32\Mqkked32.exe110⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Ngecbndm.exeC:\Windows\system32\Ngecbndm.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Nnokohkj.exeC:\Windows\system32\Nnokohkj.exe112⤵PID:2844
-
C:\Windows\SysWOW64\Njflci32.exeC:\Windows\system32\Njflci32.exe113⤵PID:1548
-
C:\Windows\SysWOW64\Ncnplogn.exeC:\Windows\system32\Ncnplogn.exe114⤵PID:560
-
C:\Windows\SysWOW64\Nmgeedno.exeC:\Windows\system32\Nmgeedno.exe115⤵PID:1012
-
C:\Windows\SysWOW64\Nfoinj32.exeC:\Windows\system32\Nfoinj32.exe116⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Nllafq32.exeC:\Windows\system32\Nllafq32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Nipbpe32.exeC:\Windows\system32\Nipbpe32.exe118⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Obhfhj32.exeC:\Windows\system32\Obhfhj32.exe119⤵PID:2936
-
C:\Windows\SysWOW64\Oiboedpn.exeC:\Windows\system32\Oiboedpn.exe120⤵PID:2672
-
C:\Windows\SysWOW64\Ojckmm32.exeC:\Windows\system32\Ojckmm32.exe121⤵PID:1168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-