Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 11:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93153a0296a2e4c5deb4cfca1c4958d0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
93153a0296a2e4c5deb4cfca1c4958d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
93153a0296a2e4c5deb4cfca1c4958d0N.exe
-
Size
487KB
-
MD5
93153a0296a2e4c5deb4cfca1c4958d0
-
SHA1
a91501110d661fee49e87b7c7a59a89497f99e0d
-
SHA256
6c76fb7ed2d8920c1b72fe7d8c856c6541e047743ffefe9b8ffad041dede6138
-
SHA512
a94bf191e834dd3d3771a58b7532d3e41d0658b323f1483bc594b0869a503dcc183fb9d8e6fcac0df64640a4ac677e0baab3bdea9a922758ba7b2b79c5f111fe
-
SSDEEP
6144:b3S/Wx5I2y/JAQ///NR5fLYG3eujPQ///NR5f:rS/JTx/NcZ7/N
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqnidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhehnlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobeipoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qofjmnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaempnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlhpiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqjghb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmpbncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfnlofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnlhibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlhpiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbapdgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepnck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfgab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfocjhdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmcjceam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdimlllq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpokkgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcicapk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkggkphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacjebbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibkdhbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhnillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghcjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeificb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacblhii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongijbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghebpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhnillo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljcnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqcmkjje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofgfio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdflfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geghlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohbaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdqdahc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Labjcmqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlakf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaaab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbkkkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdnnpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onojfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjccjblp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkggkphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhioeof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghjkki32.exe -
Executes dropped EXE 64 IoCs
pid Process 2872 Nelgkhdp.exe 2688 Nmglpjak.exe 2132 Nhmpmcaq.exe 2572 Ofgfio32.exe 2704 Obngnphg.exe 364 Oabdol32.exe 2856 Qagiio32.exe 2388 Aqcmkjje.exe 1680 Akiahcik.exe 1928 Bfjhippb.exe 1500 Bkfqbgni.exe 1080 Beoekl32.exe 828 Cmclem32.exe 2912 Dehdpnok.exe 2020 Daoeeo32.exe 1076 Epkhfkco.exe 940 Fcnmne32.exe 916 Fnlhibff.exe 1440 Gdimlllq.exe 1448 Giolpo32.exe 2160 Gnldhf32.exe 1640 Hncjiecj.exe 1060 Hcpbalaa.exe 2392 Hmhgjahb.exe 1596 Ifeenfjm.exe 3048 Jjldbiig.exe 2740 Jhpdlm32.exe 2676 Jmoijc32.exe 2532 Jmdcecpp.exe 2548 Kikcjdfd.exe 2716 Kpdlfn32.exe 2860 Kehjpd32.exe 644 Koaohila.exe 1876 Lnhioeof.exe 692 Ljafifbh.exe 552 Lbmknipc.exe 1920 Mdmdpd32.exe 1260 Mhklfbcj.exe 2852 Mgqigohb.exe 2904 Mqkked32.exe 3064 Nggpgn32.exe 2112 Njflci32.exe 2900 Ncnplogn.exe 1900 Odlpfblm.exe 1384 Omddohbm.exe 2344 Ojhehlag.exe 1148 Pfabbmeh.exe 1492 Pmkjog32.exe 2624 Pibkdhbi.exe 2788 Peiliihm.exe 2964 Phiekdeo.exe 2540 Pboihm32.exe 2700 Qofjmnji.exe 2824 Qdbbedhp.exe 2384 Qnkgnj32.exe 1712 Akoghnnj.exe 2008 Apnlee32.exe 1708 Aekenl32.exe 2924 Afmack32.exe 1916 Acabmpem.exe 792 Aohbaq32.exe 920 Bdekjg32.exe 628 Bnmpcmpi.exe 1552 Bkapla32.exe -
Loads dropped DLL 64 IoCs
pid Process 2276 93153a0296a2e4c5deb4cfca1c4958d0N.exe 2276 93153a0296a2e4c5deb4cfca1c4958d0N.exe 2872 Nelgkhdp.exe 2872 Nelgkhdp.exe 2688 Nmglpjak.exe 2688 Nmglpjak.exe 2132 Nhmpmcaq.exe 2132 Nhmpmcaq.exe 2572 Ofgfio32.exe 2572 Ofgfio32.exe 2704 Obngnphg.exe 2704 Obngnphg.exe 364 Oabdol32.exe 364 Oabdol32.exe 2856 Qagiio32.exe 2856 Qagiio32.exe 2388 Aqcmkjje.exe 2388 Aqcmkjje.exe 1680 Akiahcik.exe 1680 Akiahcik.exe 1928 Bfjhippb.exe 1928 Bfjhippb.exe 1500 Bkfqbgni.exe 1500 Bkfqbgni.exe 1080 Beoekl32.exe 1080 Beoekl32.exe 828 Cmclem32.exe 828 Cmclem32.exe 2912 Dehdpnok.exe 2912 Dehdpnok.exe 2020 Daoeeo32.exe 2020 Daoeeo32.exe 1076 Epkhfkco.exe 1076 Epkhfkco.exe 940 Fcnmne32.exe 940 Fcnmne32.exe 916 Fnlhibff.exe 916 Fnlhibff.exe 1440 Gdimlllq.exe 1440 Gdimlllq.exe 1448 Giolpo32.exe 1448 Giolpo32.exe 2160 Gnldhf32.exe 2160 Gnldhf32.exe 1640 Hncjiecj.exe 1640 Hncjiecj.exe 1060 Hcpbalaa.exe 1060 Hcpbalaa.exe 2392 Hmhgjahb.exe 2392 Hmhgjahb.exe 1596 Ifeenfjm.exe 1596 Ifeenfjm.exe 3048 Jjldbiig.exe 3048 Jjldbiig.exe 2740 Jhpdlm32.exe 2740 Jhpdlm32.exe 2676 Jmoijc32.exe 2676 Jmoijc32.exe 2532 Jmdcecpp.exe 2532 Jmdcecpp.exe 2548 Kikcjdfd.exe 2548 Kikcjdfd.exe 2716 Kpdlfn32.exe 2716 Kpdlfn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Obkkmcdb.dll Qepdbpii.exe File opened for modification C:\Windows\SysWOW64\Mqkked32.exe Mgqigohb.exe File opened for modification C:\Windows\SysWOW64\Ncnplogn.exe Njflci32.exe File created C:\Windows\SysWOW64\Kjcphd32.dll Qofjmnji.exe File opened for modification C:\Windows\SysWOW64\Jifmgman.exe Jgccjenb.exe File opened for modification C:\Windows\SysWOW64\Lbmknipc.exe Ljafifbh.exe File opened for modification C:\Windows\SysWOW64\Pmkjog32.exe Pfabbmeh.exe File created C:\Windows\SysWOW64\Bciaqnje.exe Bjamhh32.exe File opened for modification C:\Windows\SysWOW64\Aqcmkjje.exe Qagiio32.exe File opened for modification C:\Windows\SysWOW64\Pboihm32.exe Phiekdeo.exe File created C:\Windows\SysWOW64\Jboapc32.exe Jifmgman.exe File created C:\Windows\SysWOW64\Ghebpjpj.exe Fpjmkhbo.exe File created C:\Windows\SysWOW64\Cmhcbm32.dll Pnicgi32.exe File opened for modification C:\Windows\SysWOW64\Ijofbnlm.exe Ioibde32.exe File opened for modification C:\Windows\SysWOW64\Aiacamhm.exe Aiofln32.exe File created C:\Windows\SysWOW64\Ffkejlij.exe Fanlbekb.exe File opened for modification C:\Windows\SysWOW64\Ofjgpp32.exe Omacgjhh.exe File opened for modification C:\Windows\SysWOW64\Pjccjblp.exe Piojmj32.exe File created C:\Windows\SysWOW64\Ebofpc32.exe Ebmikdml.exe File opened for modification C:\Windows\SysWOW64\Dmbbjjhj.exe Dbmnla32.exe File created C:\Windows\SysWOW64\Cdbfahdg.dll Ioibde32.exe File created C:\Windows\SysWOW64\Mqfgok32.dll Nclfpg32.exe File opened for modification C:\Windows\SysWOW64\Qepdbpii.exe Qjkpegic.exe File created C:\Windows\SysWOW64\Cmohhofn.dll Fbobog32.exe File created C:\Windows\SysWOW64\Nmlgcbei.exe Ngpokkgb.exe File opened for modification C:\Windows\SysWOW64\Mdbocl32.exe Mabfaqca.exe File created C:\Windows\SysWOW64\Nnglkgkb.dll Biobkamk.exe File opened for modification C:\Windows\SysWOW64\Gcebfqbd.exe Gjmnmk32.exe File created C:\Windows\SysWOW64\Dnogam32.dll Hhdgdg32.exe File created C:\Windows\SysWOW64\Aolpph32.dll Piejbpgk.exe File created C:\Windows\SysWOW64\Qjdkpm32.dll Kmanmi32.exe File created C:\Windows\SysWOW64\Demdkkpb.dll Dblgbk32.exe File created C:\Windows\SysWOW64\Caegne32.dll Eijegdfb.exe File created C:\Windows\SysWOW64\Oaecne32.exe Ohmneokp.exe File created C:\Windows\SysWOW64\Ofjgpp32.exe Omacgjhh.exe File created C:\Windows\SysWOW64\Ckeqca32.dll Cqhdnfpp.exe File created C:\Windows\SysWOW64\Jgeabpog.dll Ffkejlij.exe File created C:\Windows\SysWOW64\Jijnlnha.dll Mmhplk32.exe File opened for modification C:\Windows\SysWOW64\Fcnmne32.exe Epkhfkco.exe File created C:\Windows\SysWOW64\Ikjlij32.exe Hkhodk32.exe File created C:\Windows\SysWOW64\Jjldbiig.exe Ifeenfjm.exe File opened for modification C:\Windows\SysWOW64\Iodnncol.exe Ijgfflae.exe File created C:\Windows\SysWOW64\Jaonlj32.exe Jicigg32.exe File opened for modification C:\Windows\SysWOW64\Jbegpn32.exe Iodnncol.exe File created C:\Windows\SysWOW64\Kfppop32.exe Kcofnejq.exe File created C:\Windows\SysWOW64\Kjpekn32.exe Kcfmnd32.exe File created C:\Windows\SysWOW64\Hoobin32.dll Omacgjhh.exe File created C:\Windows\SysWOW64\Fadoqc32.exe Fbobog32.exe File created C:\Windows\SysWOW64\Peaagl32.exe Ongijbja.exe File created C:\Windows\SysWOW64\Efchog32.exe Eqfogp32.exe File created C:\Windows\SysWOW64\Hdkoelai.dll Pdhhepmo.exe File created C:\Windows\SysWOW64\Mjdalj32.dll Hnfigmhk.exe File created C:\Windows\SysWOW64\Blmdnmbn.dll Jjocaaoh.exe File created C:\Windows\SysWOW64\Okcjphdc.exe Onojfd32.exe File created C:\Windows\SysWOW64\Mcdflilm.exe Mofnek32.exe File created C:\Windows\SysWOW64\Cnodol32.dll Nfpkgblc.exe File created C:\Windows\SysWOW64\Fhfllb32.dll Gacblhii.exe File created C:\Windows\SysWOW64\Mceidb32.exe Mmhplk32.exe File created C:\Windows\SysWOW64\Dhfgpj32.dll Ndgiok32.exe File created C:\Windows\SysWOW64\Kponlmga.dll Dbbmaf32.exe File opened for modification C:\Windows\SysWOW64\Jjloak32.exe Jbegpn32.exe File opened for modification C:\Windows\SysWOW64\Gfocjhdd.exe Gpekmnmh.exe File opened for modification C:\Windows\SysWOW64\Mdmdpd32.exe Lbmknipc.exe File created C:\Windows\SysWOW64\Oppmkm32.exe Obllai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1448 3884 WerFault.exe 353 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnkgnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiibok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhaodqje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjamhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgfio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmclem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onojfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeificb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omacgjhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijofbnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaaab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peaagl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmneokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enncqjna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheeqgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaecne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancfbhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajogm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabfaqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beoekl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhklfbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlenijej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeenfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdadie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkccpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ionlpdha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacblhii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacjebbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhehlag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqokoeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjloak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mceidb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acabmpem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobeipoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papogbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqjghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpdlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifmgman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbemeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcocad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgfbpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmknipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcdhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkipoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alponiga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcacfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labjcmqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfigmhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibkdhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgcbei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofjgpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmpbncn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmoijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bciaqnje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjaled32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfkmdlc.dll" Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bojdkqpm.dll" Jepnck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkclnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ionlpdha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjocaaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkopmiic.dll" Nqpfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enijek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akiahcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqkkbhoi.dll" Fcacfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahefmala.dll" Fpjmkhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcfca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnplogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dplnpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giolpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pibkdhbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjmkhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mceidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkijjioo.dll" Cpmpbncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpipkb32.dll" Ghebpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhdgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbhpnmp.dll" Ngkhiebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hncjiecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkbknjo.dll" Mofnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djanahia.dll" Qhadob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahamdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhnillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndaehi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daoeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpokkgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omodibcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blngqgco.dll" Onmmad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geghlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffomdam.dll" Jaajaikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeeio32.dll" Mkbnpaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmlnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geflbg32.dll" Acabmpem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkapla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaacch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkipoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccngdqj.dll" Bkapla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcphd32.dll" Qofjmnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbbjjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmhcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dplnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnodol32.dll" Nfpkgblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgjlonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnccd32.dll" Ongijbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjepahn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cchdlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfaknce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kphdhenb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkhiebk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbmknipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napdfalf.dll" Mqkked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkpaja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdqdahc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcebfqbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjccjblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfmoabnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjaled32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2872 2276 93153a0296a2e4c5deb4cfca1c4958d0N.exe 29 PID 2276 wrote to memory of 2872 2276 93153a0296a2e4c5deb4cfca1c4958d0N.exe 29 PID 2276 wrote to memory of 2872 2276 93153a0296a2e4c5deb4cfca1c4958d0N.exe 29 PID 2276 wrote to memory of 2872 2276 93153a0296a2e4c5deb4cfca1c4958d0N.exe 29 PID 2872 wrote to memory of 2688 2872 Nelgkhdp.exe 30 PID 2872 wrote to memory of 2688 2872 Nelgkhdp.exe 30 PID 2872 wrote to memory of 2688 2872 Nelgkhdp.exe 30 PID 2872 wrote to memory of 2688 2872 Nelgkhdp.exe 30 PID 2688 wrote to memory of 2132 2688 Nmglpjak.exe 31 PID 2688 wrote to memory of 2132 2688 Nmglpjak.exe 31 PID 2688 wrote to memory of 2132 2688 Nmglpjak.exe 31 PID 2688 wrote to memory of 2132 2688 Nmglpjak.exe 31 PID 2132 wrote to memory of 2572 2132 Nhmpmcaq.exe 32 PID 2132 wrote to memory of 2572 2132 Nhmpmcaq.exe 32 PID 2132 wrote to memory of 2572 2132 Nhmpmcaq.exe 32 PID 2132 wrote to memory of 2572 2132 Nhmpmcaq.exe 32 PID 2572 wrote to memory of 2704 2572 Ofgfio32.exe 33 PID 2572 wrote to memory of 2704 2572 Ofgfio32.exe 33 PID 2572 wrote to memory of 2704 2572 Ofgfio32.exe 33 PID 2572 wrote to memory of 2704 2572 Ofgfio32.exe 33 PID 2704 wrote to memory of 364 2704 Obngnphg.exe 34 PID 2704 wrote to memory of 364 2704 Obngnphg.exe 34 PID 2704 wrote to memory of 364 2704 Obngnphg.exe 34 PID 2704 wrote to memory of 364 2704 Obngnphg.exe 34 PID 364 wrote to memory of 2856 364 Oabdol32.exe 35 PID 364 wrote to memory of 2856 364 Oabdol32.exe 35 PID 364 wrote to memory of 2856 364 Oabdol32.exe 35 PID 364 wrote to memory of 2856 364 Oabdol32.exe 35 PID 2856 wrote to memory of 2388 2856 Qagiio32.exe 36 PID 2856 wrote to memory of 2388 2856 Qagiio32.exe 36 PID 2856 wrote to memory of 2388 2856 Qagiio32.exe 36 PID 2856 wrote to memory of 2388 2856 Qagiio32.exe 36 PID 2388 wrote to memory of 1680 2388 Aqcmkjje.exe 37 PID 2388 wrote to memory of 1680 2388 Aqcmkjje.exe 37 PID 2388 wrote to memory of 1680 2388 Aqcmkjje.exe 37 PID 2388 wrote to memory of 1680 2388 Aqcmkjje.exe 37 PID 1680 wrote to memory of 1928 1680 Akiahcik.exe 38 PID 1680 wrote to memory of 1928 1680 Akiahcik.exe 38 PID 1680 wrote to memory of 1928 1680 Akiahcik.exe 38 PID 1680 wrote to memory of 1928 1680 Akiahcik.exe 38 PID 1928 wrote to memory of 1500 1928 Bfjhippb.exe 39 PID 1928 wrote to memory of 1500 1928 Bfjhippb.exe 39 PID 1928 wrote to memory of 1500 1928 Bfjhippb.exe 39 PID 1928 wrote to memory of 1500 1928 Bfjhippb.exe 39 PID 1500 wrote to memory of 1080 1500 Bkfqbgni.exe 40 PID 1500 wrote to memory of 1080 1500 Bkfqbgni.exe 40 PID 1500 wrote to memory of 1080 1500 Bkfqbgni.exe 40 PID 1500 wrote to memory of 1080 1500 Bkfqbgni.exe 40 PID 1080 wrote to memory of 828 1080 Beoekl32.exe 41 PID 1080 wrote to memory of 828 1080 Beoekl32.exe 41 PID 1080 wrote to memory of 828 1080 Beoekl32.exe 41 PID 1080 wrote to memory of 828 1080 Beoekl32.exe 41 PID 828 wrote to memory of 2912 828 Cmclem32.exe 42 PID 828 wrote to memory of 2912 828 Cmclem32.exe 42 PID 828 wrote to memory of 2912 828 Cmclem32.exe 42 PID 828 wrote to memory of 2912 828 Cmclem32.exe 42 PID 2912 wrote to memory of 2020 2912 Dehdpnok.exe 43 PID 2912 wrote to memory of 2020 2912 Dehdpnok.exe 43 PID 2912 wrote to memory of 2020 2912 Dehdpnok.exe 43 PID 2912 wrote to memory of 2020 2912 Dehdpnok.exe 43 PID 2020 wrote to memory of 1076 2020 Daoeeo32.exe 44 PID 2020 wrote to memory of 1076 2020 Daoeeo32.exe 44 PID 2020 wrote to memory of 1076 2020 Daoeeo32.exe 44 PID 2020 wrote to memory of 1076 2020 Daoeeo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\93153a0296a2e4c5deb4cfca1c4958d0N.exe"C:\Users\Admin\AppData\Local\Temp\93153a0296a2e4c5deb4cfca1c4958d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Nelgkhdp.exeC:\Windows\system32\Nelgkhdp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Nmglpjak.exeC:\Windows\system32\Nmglpjak.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Nhmpmcaq.exeC:\Windows\system32\Nhmpmcaq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ofgfio32.exeC:\Windows\system32\Ofgfio32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Obngnphg.exeC:\Windows\system32\Obngnphg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Oabdol32.exeC:\Windows\system32\Oabdol32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Qagiio32.exeC:\Windows\system32\Qagiio32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Akiahcik.exeC:\Windows\system32\Akiahcik.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Bfjhippb.exeC:\Windows\system32\Bfjhippb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Bkfqbgni.exeC:\Windows\system32\Bkfqbgni.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Beoekl32.exeC:\Windows\system32\Beoekl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Cmclem32.exeC:\Windows\system32\Cmclem32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Dehdpnok.exeC:\Windows\system32\Dehdpnok.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Daoeeo32.exeC:\Windows\system32\Daoeeo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Epkhfkco.exeC:\Windows\system32\Epkhfkco.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Gdimlllq.exeC:\Windows\system32\Gdimlllq.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Giolpo32.exeC:\Windows\system32\Giolpo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Gnldhf32.exeC:\Windows\system32\Gnldhf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Hncjiecj.exeC:\Windows\system32\Hncjiecj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Hcpbalaa.exeC:\Windows\system32\Hcpbalaa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Ifeenfjm.exeC:\Windows\system32\Ifeenfjm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Jjldbiig.exeC:\Windows\system32\Jjldbiig.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Jhpdlm32.exeC:\Windows\system32\Jhpdlm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Jmoijc32.exeC:\Windows\system32\Jmoijc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Jmdcecpp.exeC:\Windows\system32\Jmdcecpp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Kikcjdfd.exeC:\Windows\system32\Kikcjdfd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Kpdlfn32.exeC:\Windows\system32\Kpdlfn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Kehjpd32.exeC:\Windows\system32\Kehjpd32.exe33⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Koaohila.exeC:\Windows\system32\Koaohila.exe34⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Lnhioeof.exeC:\Windows\system32\Lnhioeof.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Ljafifbh.exeC:\Windows\system32\Ljafifbh.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Lbmknipc.exeC:\Windows\system32\Lbmknipc.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe38⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Mhklfbcj.exeC:\Windows\system32\Mhklfbcj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Mgqigohb.exeC:\Windows\system32\Mgqigohb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Mqkked32.exeC:\Windows\system32\Mqkked32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Nggpgn32.exeC:\Windows\system32\Nggpgn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Njflci32.exeC:\Windows\system32\Njflci32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Ncnplogn.exeC:\Windows\system32\Ncnplogn.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Odlpfblm.exeC:\Windows\system32\Odlpfblm.exe45⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Omddohbm.exeC:\Windows\system32\Omddohbm.exe46⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Ojhehlag.exeC:\Windows\system32\Ojhehlag.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Pfabbmeh.exeC:\Windows\system32\Pfabbmeh.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Pmkjog32.exeC:\Windows\system32\Pmkjog32.exe49⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Pibkdhbi.exeC:\Windows\system32\Pibkdhbi.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Peiliihm.exeC:\Windows\system32\Peiliihm.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Phiekdeo.exeC:\Windows\system32\Phiekdeo.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Pboihm32.exeC:\Windows\system32\Pboihm32.exe53⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Qofjmnji.exeC:\Windows\system32\Qofjmnji.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Qdbbedhp.exeC:\Windows\system32\Qdbbedhp.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Qnkgnj32.exeC:\Windows\system32\Qnkgnj32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Akoghnnj.exeC:\Windows\system32\Akoghnnj.exe57⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Apnlee32.exeC:\Windows\system32\Apnlee32.exe58⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Aekenl32.exeC:\Windows\system32\Aekenl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Afmack32.exeC:\Windows\system32\Afmack32.exe60⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Acabmpem.exeC:\Windows\system32\Acabmpem.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Aohbaq32.exeC:\Windows\system32\Aohbaq32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Bdekjg32.exeC:\Windows\system32\Bdekjg32.exe63⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Bnmpcmpi.exeC:\Windows\system32\Bnmpcmpi.exe64⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Bkapla32.exeC:\Windows\system32\Bkapla32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Bqnidh32.exeC:\Windows\system32\Bqnidh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Bkcmba32.exeC:\Windows\system32\Bkcmba32.exe67⤵PID:2932
-
C:\Windows\SysWOW64\Bdlakf32.exeC:\Windows\system32\Bdlakf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Bdnnpf32.exeC:\Windows\system32\Bdnnpf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Cqeoegfb.exeC:\Windows\system32\Cqeoegfb.exe70⤵PID:2772
-
C:\Windows\SysWOW64\Cqgkkg32.exeC:\Windows\system32\Cqgkkg32.exe71⤵PID:1860
-
C:\Windows\SysWOW64\Cchdlb32.exeC:\Windows\system32\Cchdlb32.exe72⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Cnaempnp.exeC:\Windows\system32\Cnaempnp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Cgjjfe32.exeC:\Windows\system32\Cgjjfe32.exe74⤵PID:2236
-
C:\Windows\SysWOW64\Dlhblc32.exeC:\Windows\system32\Dlhblc32.exe75⤵PID:2880
-
C:\Windows\SysWOW64\Dccgpf32.exeC:\Windows\system32\Dccgpf32.exe76⤵PID:1560
-
C:\Windows\SysWOW64\Dfdpbaeb.exeC:\Windows\system32\Dfdpbaeb.exe77⤵PID:1452
-
C:\Windows\SysWOW64\Daidojeh.exeC:\Windows\system32\Daidojeh.exe78⤵PID:1108
-
C:\Windows\SysWOW64\Dbmnla32.exeC:\Windows\system32\Dbmnla32.exe79⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Dmbbjjhj.exeC:\Windows\system32\Dmbbjjhj.exe80⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Eiibok32.exeC:\Windows\system32\Eiibok32.exe81⤵
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Eepccldb.exeC:\Windows\system32\Eepccldb.exe82⤵PID:3068
-
C:\Windows\SysWOW64\Ehaleg32.exeC:\Windows\system32\Ehaleg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Edgmjhfh.exeC:\Windows\system32\Edgmjhfh.exe84⤵PID:2500
-
C:\Windows\SysWOW64\Eheeqgmn.exeC:\Windows\system32\Eheeqgmn.exe85⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Fdlfeh32.exeC:\Windows\system32\Fdlfeh32.exe86⤵PID:2068
-
C:\Windows\SysWOW64\Fmdknm32.exeC:\Windows\system32\Fmdknm32.exe87⤵PID:868
-
C:\Windows\SysWOW64\Fcacfd32.exeC:\Windows\system32\Fcacfd32.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Fcdpld32.exeC:\Windows\system32\Fcdpld32.exe89⤵PID:764
-
C:\Windows\SysWOW64\Flldei32.exeC:\Windows\system32\Flldei32.exe90⤵PID:2764
-
C:\Windows\SysWOW64\Fpjmkhbo.exeC:\Windows\system32\Fpjmkhbo.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ghebpjpj.exeC:\Windows\system32\Ghebpjpj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Gkfkae32.exeC:\Windows\system32\Gkfkae32.exe93⤵PID:2492
-
C:\Windows\SysWOW64\Ghjkki32.exeC:\Windows\system32\Ghjkki32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Ghlhpiia.exeC:\Windows\system32\Ghlhpiia.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:472 -
C:\Windows\SysWOW64\Lenmnb32.exeC:\Windows\system32\Lenmnb32.exe96⤵PID:1524
-
C:\Windows\SysWOW64\Mkdhlh32.exeC:\Windows\system32\Mkdhlh32.exe97⤵PID:928
-
C:\Windows\SysWOW64\Mofnek32.exeC:\Windows\system32\Mofnek32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Mcdflilm.exeC:\Windows\system32\Mcdflilm.exe99⤵PID:2232
-
C:\Windows\SysWOW64\Mhaodqje.exeC:\Windows\system32\Mhaodqje.exe100⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Nmohjopk.exeC:\Windows\system32\Nmohjopk.exe101⤵PID:1204
-
C:\Windows\SysWOW64\Ndjloanf.exeC:\Windows\system32\Ndjloanf.exe102⤵PID:1200
-
C:\Windows\SysWOW64\Nbnmhe32.exeC:\Windows\system32\Nbnmhe32.exe103⤵PID:2960
-
C:\Windows\SysWOW64\Nbqjne32.exeC:\Windows\system32\Nbqjne32.exe104⤵PID:2452
-
C:\Windows\SysWOW64\Ngpokkgb.exeC:\Windows\system32\Ngpokkgb.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Nmlgcbei.exeC:\Windows\system32\Nmlgcbei.exe106⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Omodibcg.exeC:\Windows\system32\Omodibcg.exe107⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Obllai32.exeC:\Windows\system32\Obllai32.exe108⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Oppmkm32.exeC:\Windows\system32\Oppmkm32.exe109⤵PID:3008
-
C:\Windows\SysWOW64\Oelecd32.exeC:\Windows\system32\Oelecd32.exe110⤵PID:2484
-
C:\Windows\SysWOW64\Obpflhmi.exeC:\Windows\system32\Obpflhmi.exe111⤵PID:2052
-
C:\Windows\SysWOW64\Ohmneokp.exeC:\Windows\system32\Ohmneokp.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Oaecne32.exeC:\Windows\system32\Oaecne32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Pnicgi32.exeC:\Windows\system32\Pnicgi32.exe114⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Pjpdlj32.exeC:\Windows\system32\Pjpdlj32.exe115⤵PID:2360
-
C:\Windows\SysWOW64\Pdhhepmo.exeC:\Windows\system32\Pdhhepmo.exe116⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Phfaknce.exeC:\Windows\system32\Phfaknce.exe117⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Pmcjceam.exeC:\Windows\system32\Pmcjceam.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Pmefidoj.exeC:\Windows\system32\Pmefidoj.exe119⤵PID:1804
-
C:\Windows\SysWOW64\Qmhcnd32.exeC:\Windows\system32\Qmhcnd32.exe120⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Qhadob32.exeC:\Windows\system32\Qhadob32.exe121⤵
- Modifies registry class
PID:436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-