Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 18:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9834d9fd54b5a9439234ee3f78c617d0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9834d9fd54b5a9439234ee3f78c617d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9834d9fd54b5a9439234ee3f78c617d0N.exe
-
Size
85KB
-
MD5
9834d9fd54b5a9439234ee3f78c617d0
-
SHA1
c93a4e0b58b4cf1afc1965b3b0e5b158a1fdd8fe
-
SHA256
a21285258fa522877024c997f9a349b574c65807a0401655463240c2ba5d1830
-
SHA512
e36152bfa96bb98535fbd3c45fd0a3d9f42a87726569f5f50b76906d8246d0438f63342072673198037a24543151cd2a0d8246bab8661febb7e22edc4cd8293c
-
SSDEEP
1536:t5XVtlD3fMqZRMuh1oU6SR2pXKhnAxyTh2LHxMQ262AjCsQ2PCZZrqOlNfVSLUK+:txVtlrfzZRMuh1oU6SRmXKlGyT6HxMQo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnanhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjblcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmldji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Denknngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnciiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfhglen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqamla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facfpddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdnlgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocqhcqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipjpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokgij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejohdbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfgke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfmbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmcikd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfjadim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnjaibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkckblgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejkdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjoiiffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfgkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emggflfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkioho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbmmbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oknjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9834d9fd54b5a9439234ee3f78c617d0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhnffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oingii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmldji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkehllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebjaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchbmigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclqme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmcedg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkbfcck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agccbenc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbihl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfodmhbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifgpeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbkmdah.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Pkhdnh32.exe 2772 Pofldf32.exe 2776 Pchbmigj.exe 2852 Palbgn32.exe 2680 Qnpcpa32.exe 1132 Qijdqp32.exe 2544 Ajipkb32.exe 2960 Apkbnibq.exe 2968 Anpooe32.exe 904 Bmelpa32.exe 1664 Binikb32.exe 2108 Bdcnhk32.exe 2360 Blaobmkq.exe 2204 Cggcofkf.exe 1216 Cpohhk32.exe 1968 Ckkenikc.exe 1528 Ckpoih32.exe 2468 Dnqhkcdo.exe 2876 Djghpd32.exe 2024 Dlhaaogd.exe 1620 Ehaolpke.exe 920 Eokgij32.exe 1600 Eqopfbfn.exe 2768 Eqamla32.exe 2732 Egkehllh.exe 1084 Fphgbn32.exe 2728 Fichqckn.exe 2692 Fiedfb32.exe 2592 Fpbihl32.exe 2540 Facfpddd.exe 2580 Ghmnmo32.exe 1952 Ghbhhnhk.exe 2948 Gajlac32.exe 1628 Gjbqjiem.exe 1376 Gmcikd32.exe 2232 Heonpf32.exe 1956 Hlhfmqge.exe 1000 Hlkcbp32.exe 1372 Hoipnl32.exe 1684 Hkppcmjk.exe 1792 Honiikpa.exe 2076 Hhfmbq32.exe 1780 Iaobkf32.exe 1708 Ikgfdlcb.exe 1960 Ikicikap.exe 1716 Idbgbahq.exe 2276 Igpdnlgd.exe 2816 Injlkf32.exe 2648 Icgdcm32.exe 2656 Iloilcci.exe 2628 Jhfjadim.exe 2528 Jaonji32.exe 2300 Jldbgb32.exe 1092 Jobocn32.exe 2084 Jkioho32.exe 3004 Jqfhqe32.exe 1756 Jkllnn32.exe 2384 Jbedkhie.exe 2324 Kdfmlc32.exe 1808 Kjcedj32.exe 2584 Kopnma32.exe 1984 Kflcok32.exe 2868 Kkilgb32.exe 600 Kcpcho32.exe -
Loads dropped DLL 64 IoCs
pid Process 2808 9834d9fd54b5a9439234ee3f78c617d0N.exe 2808 9834d9fd54b5a9439234ee3f78c617d0N.exe 2756 Pkhdnh32.exe 2756 Pkhdnh32.exe 2772 Pofldf32.exe 2772 Pofldf32.exe 2776 Pchbmigj.exe 2776 Pchbmigj.exe 2852 Palbgn32.exe 2852 Palbgn32.exe 2680 Qnpcpa32.exe 2680 Qnpcpa32.exe 1132 Qijdqp32.exe 1132 Qijdqp32.exe 2544 Ajipkb32.exe 2544 Ajipkb32.exe 2960 Apkbnibq.exe 2960 Apkbnibq.exe 2968 Anpooe32.exe 2968 Anpooe32.exe 904 Bmelpa32.exe 904 Bmelpa32.exe 1664 Binikb32.exe 1664 Binikb32.exe 2108 Bdcnhk32.exe 2108 Bdcnhk32.exe 2360 Blaobmkq.exe 2360 Blaobmkq.exe 2204 Cggcofkf.exe 2204 Cggcofkf.exe 1216 Cpohhk32.exe 1216 Cpohhk32.exe 1968 Ckkenikc.exe 1968 Ckkenikc.exe 1528 Ckpoih32.exe 1528 Ckpoih32.exe 2468 Dnqhkcdo.exe 2468 Dnqhkcdo.exe 2876 Djghpd32.exe 2876 Djghpd32.exe 2024 Dlhaaogd.exe 2024 Dlhaaogd.exe 1620 Ehaolpke.exe 1620 Ehaolpke.exe 920 Eokgij32.exe 920 Eokgij32.exe 1600 Eqopfbfn.exe 1600 Eqopfbfn.exe 2768 Eqamla32.exe 2768 Eqamla32.exe 2732 Egkehllh.exe 2732 Egkehllh.exe 1084 Fphgbn32.exe 1084 Fphgbn32.exe 2728 Fichqckn.exe 2728 Fichqckn.exe 2692 Fiedfb32.exe 2692 Fiedfb32.exe 2592 Fpbihl32.exe 2592 Fpbihl32.exe 2540 Facfpddd.exe 2540 Facfpddd.exe 2580 Ghmnmo32.exe 2580 Ghmnmo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cobcakeo.dll Lekcffem.exe File opened for modification C:\Windows\SysWOW64\Memlki32.exe Mldgbcoe.exe File created C:\Windows\SysWOW64\Cdhbbpkh.dll Oegdcj32.exe File created C:\Windows\SysWOW64\Palbgn32.exe Pchbmigj.exe File created C:\Windows\SysWOW64\Nejkdm32.exe Ncjbba32.exe File created C:\Windows\SysWOW64\Agngpn32.dll Cmdaeo32.exe File opened for modification C:\Windows\SysWOW64\Iplnpq32.exe Iokahhac.exe File opened for modification C:\Windows\SysWOW64\Dmcgik32.exe Dgiomabc.exe File created C:\Windows\SysWOW64\Ddliklgk.exe Dooqceid.exe File created C:\Windows\SysWOW64\Lekcffem.exe Lggbmbfc.exe File opened for modification C:\Windows\SysWOW64\Gphlgk32.exe Gindjqnc.exe File created C:\Windows\SysWOW64\Pljhmo32.dll Gplebjbk.exe File created C:\Windows\SysWOW64\Honiikpa.exe Hkppcmjk.exe File created C:\Windows\SysWOW64\Gajlac32.exe Ghbhhnhk.exe File created C:\Windows\SysWOW64\Eqamla32.exe Eqopfbfn.exe File created C:\Windows\SysWOW64\Lekfhb32.dll Bjlkhn32.exe File created C:\Windows\SysWOW64\Eckomcec.dll Fclbgj32.exe File created C:\Windows\SysWOW64\Olfclj32.dll Bejiehfi.exe File created C:\Windows\SysWOW64\Oinpjm32.dll Eokgij32.exe File created C:\Windows\SysWOW64\Kjcedj32.exe Kdfmlc32.exe File created C:\Windows\SysWOW64\Ciifcjnd.dll Kkkhmadd.exe File created C:\Windows\SysWOW64\Gniiomgc.dll Jdjgfomh.exe File created C:\Windows\SysWOW64\Cbkingcj.dll Paghojip.exe File created C:\Windows\SysWOW64\Anpooe32.exe Apkbnibq.exe File opened for modification C:\Windows\SysWOW64\Bmldji32.exe Bfblmofp.exe File created C:\Windows\SysWOW64\Ngppolhf.dll Eqopfbfn.exe File created C:\Windows\SysWOW64\Jkllnn32.exe Jqfhqe32.exe File created C:\Windows\SysWOW64\Gjffbhnj.exe Geinjapb.exe File created C:\Windows\SysWOW64\Klheoobo.dll Cppjadhk.exe File opened for modification C:\Windows\SysWOW64\Injlkf32.exe Igpdnlgd.exe File opened for modification C:\Windows\SysWOW64\Ddliklgk.exe Dooqceid.exe File created C:\Windows\SysWOW64\Ebkilnbk.dll Ddliklgk.exe File created C:\Windows\SysWOW64\Ckkenikc.exe Cpohhk32.exe File opened for modification C:\Windows\SysWOW64\Jhqeka32.exe Johaalea.exe File created C:\Windows\SysWOW64\Fcjeakfd.exe Fgcdlj32.exe File created C:\Windows\SysWOW64\Nbbegl32.exe Mmemoe32.exe File opened for modification C:\Windows\SysWOW64\Kjcedj32.exe Kdfmlc32.exe File created C:\Windows\SysWOW64\Kkkhmadd.exe Kcpcho32.exe File created C:\Windows\SysWOW64\Ajodjfdi.dll Hjhchg32.exe File created C:\Windows\SysWOW64\Fphgbn32.exe Egkehllh.exe File opened for modification C:\Windows\SysWOW64\Abldccka.exe Amplklmj.exe File opened for modification C:\Windows\SysWOW64\Eocfmh32.exe Ejfnda32.exe File opened for modification C:\Windows\SysWOW64\Lknebaba.exe Kkkhmadd.exe File opened for modification C:\Windows\SysWOW64\Komjmk32.exe Kdgfpbaf.exe File created C:\Windows\SysWOW64\Binikb32.exe Bmelpa32.exe File created C:\Windows\SysWOW64\Qnciiq32.exe Qifpqi32.exe File opened for modification C:\Windows\SysWOW64\Ogmngn32.exe Odoakckp.exe File created C:\Windows\SysWOW64\Pofldf32.exe Pkhdnh32.exe File created C:\Windows\SysWOW64\Aqmidk32.dll Ogekbchg.exe File created C:\Windows\SysWOW64\Fmdfppkb.exe Fclbgj32.exe File opened for modification C:\Windows\SysWOW64\Apkbnibq.exe Ajipkb32.exe File created C:\Windows\SysWOW64\Pfoefi32.dll Hffjng32.exe File opened for modification C:\Windows\SysWOW64\Paghojip.exe Phocfd32.exe File opened for modification C:\Windows\SysWOW64\Claake32.exe Bmldji32.exe File created C:\Windows\SysWOW64\Kpclfokl.dll Igpdnlgd.exe File created C:\Windows\SysWOW64\Deplmf32.dll Bafkookd.exe File created C:\Windows\SysWOW64\Ogjaqc32.dll Egchmfnd.exe File created C:\Windows\SysWOW64\Lbbpgc32.dll Nbdbml32.exe File created C:\Windows\SysWOW64\Mohkpn32.dll Dmcgik32.exe File opened for modification C:\Windows\SysWOW64\Dpdpkfga.exe Denknngk.exe File opened for modification C:\Windows\SysWOW64\Gajlac32.exe Ghbhhnhk.exe File created C:\Windows\SysWOW64\Nogmin32.exe Ndbile32.exe File created C:\Windows\SysWOW64\Odanqb32.exe Ogmngn32.exe File created C:\Windows\SysWOW64\Bhonin32.dll Fdblkoco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3296 3244 WerFault.exe 289 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkiobge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjoiiffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkbfcck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eceimadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaolpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memlki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldccka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diencmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbpgeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgfpbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhbdpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geinjapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgfdlcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokgij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbedkhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjjekhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbplciof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jobocn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkhmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdqifajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoooj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekcffem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogiha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gindjqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olopjddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pniohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doamhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpqemll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiomabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkppcmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifgpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfmlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokahhac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmahog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkllnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepnkjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejohdbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkehhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelljepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phocfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Claake32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkehllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbgbahq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaonji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjbba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkcpmmb.dll" Pkfiaqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnofaf32.dll" Ajdego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcoed32.dll" Jqfhqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdecm32.dll" Lmfgkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmjoqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caepdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehaolpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdimfhnj.dll" Aepnkjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmep32.dll" Nbbegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panehkaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjkgala.dll" Pchbmigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobnp32.dll" Cppakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccecheeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgahboge.dll" Gpjilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcfbfaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqopfbfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgcql32.dll" Injlkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkjgckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emggflfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokpie32.dll" Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkllnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflcok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnjaibm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkppcmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggbgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdiiidn.dll" Hoipnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblkmipo.dll" Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doegcd32.dll" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjblcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgnmlma.dll" Gajlac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkioho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldgbcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqfcla32.dll" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkhdnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hainad32.dll" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll" Blaobmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdjgfomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pniohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnpcpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbkmdah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkilnbk.dll" Ddliklgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnncii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obchjdci.dll" Bfblmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjijeh32.dll" Dicann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooicngen.dll" Nejkdm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2756 2808 9834d9fd54b5a9439234ee3f78c617d0N.exe 30 PID 2808 wrote to memory of 2756 2808 9834d9fd54b5a9439234ee3f78c617d0N.exe 30 PID 2808 wrote to memory of 2756 2808 9834d9fd54b5a9439234ee3f78c617d0N.exe 30 PID 2808 wrote to memory of 2756 2808 9834d9fd54b5a9439234ee3f78c617d0N.exe 30 PID 2756 wrote to memory of 2772 2756 Pkhdnh32.exe 31 PID 2756 wrote to memory of 2772 2756 Pkhdnh32.exe 31 PID 2756 wrote to memory of 2772 2756 Pkhdnh32.exe 31 PID 2756 wrote to memory of 2772 2756 Pkhdnh32.exe 31 PID 2772 wrote to memory of 2776 2772 Pofldf32.exe 32 PID 2772 wrote to memory of 2776 2772 Pofldf32.exe 32 PID 2772 wrote to memory of 2776 2772 Pofldf32.exe 32 PID 2772 wrote to memory of 2776 2772 Pofldf32.exe 32 PID 2776 wrote to memory of 2852 2776 Pchbmigj.exe 33 PID 2776 wrote to memory of 2852 2776 Pchbmigj.exe 33 PID 2776 wrote to memory of 2852 2776 Pchbmigj.exe 33 PID 2776 wrote to memory of 2852 2776 Pchbmigj.exe 33 PID 2852 wrote to memory of 2680 2852 Palbgn32.exe 34 PID 2852 wrote to memory of 2680 2852 Palbgn32.exe 34 PID 2852 wrote to memory of 2680 2852 Palbgn32.exe 34 PID 2852 wrote to memory of 2680 2852 Palbgn32.exe 34 PID 2680 wrote to memory of 1132 2680 Qnpcpa32.exe 35 PID 2680 wrote to memory of 1132 2680 Qnpcpa32.exe 35 PID 2680 wrote to memory of 1132 2680 Qnpcpa32.exe 35 PID 2680 wrote to memory of 1132 2680 Qnpcpa32.exe 35 PID 1132 wrote to memory of 2544 1132 Qijdqp32.exe 36 PID 1132 wrote to memory of 2544 1132 Qijdqp32.exe 36 PID 1132 wrote to memory of 2544 1132 Qijdqp32.exe 36 PID 1132 wrote to memory of 2544 1132 Qijdqp32.exe 36 PID 2544 wrote to memory of 2960 2544 Ajipkb32.exe 37 PID 2544 wrote to memory of 2960 2544 Ajipkb32.exe 37 PID 2544 wrote to memory of 2960 2544 Ajipkb32.exe 37 PID 2544 wrote to memory of 2960 2544 Ajipkb32.exe 37 PID 2960 wrote to memory of 2968 2960 Apkbnibq.exe 38 PID 2960 wrote to memory of 2968 2960 Apkbnibq.exe 38 PID 2960 wrote to memory of 2968 2960 Apkbnibq.exe 38 PID 2960 wrote to memory of 2968 2960 Apkbnibq.exe 38 PID 2968 wrote to memory of 904 2968 Anpooe32.exe 39 PID 2968 wrote to memory of 904 2968 Anpooe32.exe 39 PID 2968 wrote to memory of 904 2968 Anpooe32.exe 39 PID 2968 wrote to memory of 904 2968 Anpooe32.exe 39 PID 904 wrote to memory of 1664 904 Bmelpa32.exe 40 PID 904 wrote to memory of 1664 904 Bmelpa32.exe 40 PID 904 wrote to memory of 1664 904 Bmelpa32.exe 40 PID 904 wrote to memory of 1664 904 Bmelpa32.exe 40 PID 1664 wrote to memory of 2108 1664 Binikb32.exe 41 PID 1664 wrote to memory of 2108 1664 Binikb32.exe 41 PID 1664 wrote to memory of 2108 1664 Binikb32.exe 41 PID 1664 wrote to memory of 2108 1664 Binikb32.exe 41 PID 2108 wrote to memory of 2360 2108 Bdcnhk32.exe 42 PID 2108 wrote to memory of 2360 2108 Bdcnhk32.exe 42 PID 2108 wrote to memory of 2360 2108 Bdcnhk32.exe 42 PID 2108 wrote to memory of 2360 2108 Bdcnhk32.exe 42 PID 2360 wrote to memory of 2204 2360 Blaobmkq.exe 43 PID 2360 wrote to memory of 2204 2360 Blaobmkq.exe 43 PID 2360 wrote to memory of 2204 2360 Blaobmkq.exe 43 PID 2360 wrote to memory of 2204 2360 Blaobmkq.exe 43 PID 2204 wrote to memory of 1216 2204 Cggcofkf.exe 44 PID 2204 wrote to memory of 1216 2204 Cggcofkf.exe 44 PID 2204 wrote to memory of 1216 2204 Cggcofkf.exe 44 PID 2204 wrote to memory of 1216 2204 Cggcofkf.exe 44 PID 1216 wrote to memory of 1968 1216 Cpohhk32.exe 45 PID 1216 wrote to memory of 1968 1216 Cpohhk32.exe 45 PID 1216 wrote to memory of 1968 1216 Cpohhk32.exe 45 PID 1216 wrote to memory of 1968 1216 Cpohhk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9834d9fd54b5a9439234ee3f78c617d0N.exe"C:\Users\Admin\AppData\Local\Temp\9834d9fd54b5a9439234ee3f78c617d0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Fphgbn32.exeC:\Windows\system32\Fphgbn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe35⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe37⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe38⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe39⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Hkppcmjk.exeC:\Windows\system32\Hkppcmjk.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe42⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Hhfmbq32.exeC:\Windows\system32\Hhfmbq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe44⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe46⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Icgdcm32.exeC:\Windows\system32\Icgdcm32.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe51⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jhfjadim.exeC:\Windows\system32\Jhfjadim.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Jaonji32.exeC:\Windows\system32\Jaonji32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe54⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Jqfhqe32.exeC:\Windows\system32\Jqfhqe32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Jbedkhie.exeC:\Windows\system32\Jbedkhie.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe61⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Kkilgb32.exeC:\Windows\system32\Kkilgb32.exe64⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Lknebaba.exeC:\Windows\system32\Lknebaba.exe67⤵PID:2124
-
C:\Windows\SysWOW64\Lgdfgbhf.exeC:\Windows\system32\Lgdfgbhf.exe68⤵PID:2888
-
C:\Windows\SysWOW64\Lbjjekhl.exeC:\Windows\system32\Lbjjekhl.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe70⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Lfnlcnih.exeC:\Windows\system32\Lfnlcnih.exe73⤵PID:1536
-
C:\Windows\SysWOW64\Lmhdph32.exeC:\Windows\system32\Lmhdph32.exe74⤵PID:392
-
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe76⤵PID:1948
-
C:\Windows\SysWOW64\Mbginomj.exeC:\Windows\system32\Mbginomj.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe79⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Mblcin32.exeC:\Windows\system32\Mblcin32.exe81⤵PID:2572
-
C:\Windows\SysWOW64\Mldgbcoe.exeC:\Windows\system32\Mldgbcoe.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe84⤵PID:1776
-
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe85⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe87⤵PID:2720
-
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe88⤵PID:2748
-
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe91⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe92⤵PID:3048
-
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe94⤵PID:2472
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Oddbqhkf.exeC:\Windows\system32\Oddbqhkf.exe96⤵PID:1616
-
C:\Windows\SysWOW64\Oknjmb32.exeC:\Windows\system32\Oknjmb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe98⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Pipjpj32.exeC:\Windows\system32\Pipjpj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe100⤵PID:1308
-
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe101⤵
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe102⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe104⤵PID:2980
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Anhbdpje.exeC:\Windows\system32\Anhbdpje.exe106⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe108⤵PID:432
-
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe110⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe111⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe113⤵PID:2304
-
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe114⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Bhnffi32.exeC:\Windows\system32\Bhnffi32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe117⤵PID:1848
-
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe118⤵PID:2664
-
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe119⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe120⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-