Analysis
-
max time kernel
115s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 11:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75fc455498c98753f6d7f30c480b45d0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
75fc455498c98753f6d7f30c480b45d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
75fc455498c98753f6d7f30c480b45d0N.exe
-
Size
88KB
-
MD5
75fc455498c98753f6d7f30c480b45d0
-
SHA1
0bdcb298b914c66c2fbf6a199ef9b4faad9b35f5
-
SHA256
4012af916afc1586af978737b06e471d6eb81b727159001478993cacd4fe5c98
-
SHA512
8d137759c5af4f5255396caf5bf78b7e725c3bbc6fa336a833db2e3691d8b8c9f4b5e02b0c0f3d60dc479f5271c4f82f911c6d9256e14546b2d2f563783afba2
-
SSDEEP
1536:Jgyzf7XXTHby4JJslxh5aagvuyF7Bq4oTfwAgOsZxQRq4j5jj3nouy8L:iyD7nbbfslwag22ATgOKxn49jjXoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmjplag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhmnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opohil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcfdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnecag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Babdhlmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfdlclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feqbilcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchkjhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbfcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqiakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhhlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfpebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdqpdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Engpfgql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elkbipdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldikbhfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkiikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjacai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caajmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjldiln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdhbnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boakgapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehopnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggpdmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfioaaah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmhfdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkndiabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Andnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iganmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blklfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biecoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdilalko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feqbilcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmopge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmiahlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aomdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqjenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimbbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neldbo32.exe -
Executes dropped EXE 64 IoCs
pid Process 396 Anngkg32.exe 2928 Aggkdlod.exe 3024 Bblpae32.exe 2652 Bgihjl32.exe 2624 Bdoeipjh.exe 2680 Bnhjae32.exe 2856 Bcdbjl32.exe 2392 Bmmgbbeq.exe 2524 Bbjoki32.exe 2732 Conpdm32.exe 2172 Cifdmbib.exe 540 Cbnhfhoc.exe 2256 Cpbiolnl.exe 2372 Cgmndokg.exe 2212 Cafbmdbh.exe 528 Cnjbfhqa.exe 696 Dgbgon32.exe 1904 Dmopge32.exe 1476 Dhdddnep.exe 1996 Dmalmdcg.exe 1696 Dpphipbk.exe 920 Dmcibdad.exe 2568 Dbqajk32.exe 584 Deonff32.exe 1612 Dogbolep.exe 2272 Elkbipdi.exe 2452 Eecgafkj.exe 2916 Ekppjmia.exe 3000 Edidcb32.exe 1632 Emailhfb.exe 2904 Egimdmmc.exe 2672 Eijffhjd.exe 1456 Fdpjcaij.exe 1656 Fimclh32.exe 1636 Flkohc32.exe 1160 Fgqcel32.exe 1688 Folhio32.exe 2352 Fialggcl.exe 1460 Fpkdca32.exe 2156 Flbehbqm.exe 1268 Fldbnb32.exe 524 Gnhkkjbf.exe 588 Ghmohcbl.exe 1528 Gjolpkhj.exe 1984 Gddpndhp.exe 2324 Gknhjn32.exe 2176 Glpdbfek.exe 1724 Gfhikl32.exe 1132 Gmbagf32.exe 1080 Hjfbaj32.exe 1720 Hqpjndio.exe 2836 Hfmbfkhf.exe 2632 Hkiknb32.exe 2796 Himkgf32.exe 2644 Hogddpld.exe 2736 Hbepplkh.exe 2344 Hkndiabh.exe 2216 Hbhmfk32.exe 2192 Hibebeqb.exe 3056 Hnomkloi.exe 2648 Jhikhefb.exe 1204 Jemkai32.exe 2168 Jmhpfl32.exe 780 Jdbhcfjd.exe -
Loads dropped DLL 64 IoCs
pid Process 1120 75fc455498c98753f6d7f30c480b45d0N.exe 1120 75fc455498c98753f6d7f30c480b45d0N.exe 396 Anngkg32.exe 396 Anngkg32.exe 2928 Aggkdlod.exe 2928 Aggkdlod.exe 3024 Bblpae32.exe 3024 Bblpae32.exe 2652 Bgihjl32.exe 2652 Bgihjl32.exe 2624 Bdoeipjh.exe 2624 Bdoeipjh.exe 2680 Bnhjae32.exe 2680 Bnhjae32.exe 2856 Bcdbjl32.exe 2856 Bcdbjl32.exe 2392 Bmmgbbeq.exe 2392 Bmmgbbeq.exe 2524 Bbjoki32.exe 2524 Bbjoki32.exe 2732 Conpdm32.exe 2732 Conpdm32.exe 2172 Cifdmbib.exe 2172 Cifdmbib.exe 540 Cbnhfhoc.exe 540 Cbnhfhoc.exe 2256 Cpbiolnl.exe 2256 Cpbiolnl.exe 2372 Cgmndokg.exe 2372 Cgmndokg.exe 2212 Cafbmdbh.exe 2212 Cafbmdbh.exe 528 Cnjbfhqa.exe 528 Cnjbfhqa.exe 696 Dgbgon32.exe 696 Dgbgon32.exe 1904 Dmopge32.exe 1904 Dmopge32.exe 1476 Dhdddnep.exe 1476 Dhdddnep.exe 1996 Dmalmdcg.exe 1996 Dmalmdcg.exe 1696 Dpphipbk.exe 1696 Dpphipbk.exe 920 Dmcibdad.exe 920 Dmcibdad.exe 2568 Dbqajk32.exe 2568 Dbqajk32.exe 584 Deonff32.exe 584 Deonff32.exe 1612 Dogbolep.exe 1612 Dogbolep.exe 2272 Elkbipdi.exe 2272 Elkbipdi.exe 2452 Eecgafkj.exe 2452 Eecgafkj.exe 2916 Ekppjmia.exe 2916 Ekppjmia.exe 3000 Edidcb32.exe 3000 Edidcb32.exe 1632 Emailhfb.exe 1632 Emailhfb.exe 2904 Egimdmmc.exe 2904 Egimdmmc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kadkmila.dll Ekppjmia.exe File opened for modification C:\Windows\SysWOW64\Nonqca32.exe Nnndin32.exe File created C:\Windows\SysWOW64\Bkhbee32.dll Bdpgai32.exe File created C:\Windows\SysWOW64\Jiiikq32.exe Joaebkni.exe File opened for modification C:\Windows\SysWOW64\Mqgahh32.exe Mjmiknng.exe File opened for modification C:\Windows\SysWOW64\Ldgikklb.exe Ljnebe32.exe File opened for modification C:\Windows\SysWOW64\Engpfgql.exe Ehkgnpbe.exe File created C:\Windows\SysWOW64\Nagielfp.dll Fknido32.exe File created C:\Windows\SysWOW64\Nnhcin32.dll Ecnbpcje.exe File created C:\Windows\SysWOW64\Cafbmdbh.exe Cgmndokg.exe File created C:\Windows\SysWOW64\Kldchgag.exe Kblooa32.exe File opened for modification C:\Windows\SysWOW64\Ebhani32.exe Emlhfb32.exe File opened for modification C:\Windows\SysWOW64\Dkfdlclg.exe Ddlloi32.exe File created C:\Windows\SysWOW64\Mdcadn32.dll Bmmgbbeq.exe File created C:\Windows\SysWOW64\Jpojog32.dll Jdhmel32.exe File opened for modification C:\Windows\SysWOW64\Gfadeaho.exe Gadkmj32.exe File created C:\Windows\SysWOW64\Kmfebofm.dll Pegpamoo.exe File created C:\Windows\SysWOW64\Pimimg32.dll Amiioj32.exe File created C:\Windows\SysWOW64\Fjbdmbmb.exe Fajpdmgb.exe File created C:\Windows\SysWOW64\Dlgjie32.exe Dcofqphi.exe File opened for modification C:\Windows\SysWOW64\Aahkhgag.exe Apgnpo32.exe File created C:\Windows\SysWOW64\Gljdlq32.exe Gcapckod.exe File created C:\Windows\SysWOW64\Lgfjoqnd.dll Abnbccia.exe File opened for modification C:\Windows\SysWOW64\Dqiakm32.exe Chmlfj32.exe File created C:\Windows\SysWOW64\Bdhjfc32.exe Aibfik32.exe File opened for modification C:\Windows\SysWOW64\Alfflhpa.exe Abnbccia.exe File created C:\Windows\SysWOW64\Bahhpf32.dll Kpqaanqd.exe File created C:\Windows\SysWOW64\Lgjllm32.dll Dbgjbo32.exe File created C:\Windows\SysWOW64\Pnnlfd32.exe Pgdcjjom.exe File created C:\Windows\SysWOW64\Icgpcjpo.dll Lccepqdo.exe File created C:\Windows\SysWOW64\Mqgahh32.exe Mjmiknng.exe File created C:\Windows\SysWOW64\Mfdblbha.dll Mqgahh32.exe File opened for modification C:\Windows\SysWOW64\Emnelbdi.exe Ebhani32.exe File created C:\Windows\SysWOW64\Aggkdlod.exe Anngkg32.exe File created C:\Windows\SysWOW64\Bnhjae32.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Gjiefgfh.dll Pemdic32.exe File created C:\Windows\SysWOW64\Fdoknb32.dll Ebhlmlhl.exe File created C:\Windows\SysWOW64\Hbhmfk32.exe Hkndiabh.exe File created C:\Windows\SysWOW64\Bcmeogam.exe Bjdqfajl.exe File opened for modification C:\Windows\SysWOW64\Clheeh32.exe Ccoplcii.exe File created C:\Windows\SysWOW64\Fijadk32.exe Fbpihafp.exe File opened for modification C:\Windows\SysWOW64\Jemkai32.exe Jhikhefb.exe File opened for modification C:\Windows\SysWOW64\Gdmcbojl.exe Fdjfmolo.exe File created C:\Windows\SysWOW64\Dbgjbo32.exe Cfpinnfj.exe File created C:\Windows\SysWOW64\Ankckagj.exe Acfonhgd.exe File created C:\Windows\SysWOW64\Jcebdo32.dll Hqhiab32.exe File created C:\Windows\SysWOW64\Pemdic32.exe Pkeppngm.exe File opened for modification C:\Windows\SysWOW64\Pjiffd32.exe Pqaanoah.exe File opened for modification C:\Windows\SysWOW64\Dnbfkh32.exe Dkdjol32.exe File opened for modification C:\Windows\SysWOW64\Hhfcnb32.exe Hbjjfl32.exe File created C:\Windows\SysWOW64\Ekppjmia.exe Eecgafkj.exe File opened for modification C:\Windows\SysWOW64\Mpmdff32.exe Mdfcaegj.exe File created C:\Windows\SysWOW64\Cnifhcei.dll Dgbiggof.exe File opened for modification C:\Windows\SysWOW64\Kefmnp32.exe Koidficq.exe File created C:\Windows\SysWOW64\Dopkai32.exe Dgefmf32.exe File opened for modification C:\Windows\SysWOW64\Ceqlff32.exe Clhgnagn.exe File created C:\Windows\SysWOW64\Fdldjnpc.dll Ljfckodo.exe File created C:\Windows\SysWOW64\Fbfilc32.dll Ppbfmdfo.exe File created C:\Windows\SysWOW64\Ndneljdm.dll Milagp32.exe File created C:\Windows\SysWOW64\Bdiciboh.exe Bakgmgpe.exe File created C:\Windows\SysWOW64\Dlpdifda.exe Dgclpp32.exe File created C:\Windows\SysWOW64\Gbolncpj.dll Mmijmn32.exe File created C:\Windows\SysWOW64\Ppehbh32.dll Dogbolep.exe File created C:\Windows\SysWOW64\Hkndiabh.exe Hbepplkh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3156 1204 WerFault.exe 702 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoodkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbolce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilalko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqjbme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deimaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgogfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmlfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlhme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkeppngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfbjkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjicnlqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdddnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadeaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engpfgql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhikhefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqaanqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boiagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpinnfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdehgnqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchkjhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkdca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibebeqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfqii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpjfoji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joaebkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiglfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniidj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipmocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idagdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohajic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimdmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchobqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgpjjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljfeimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjiffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmohcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjiod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjlpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnndin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggekhhle.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocpfmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejkampao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfoqephq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkegca32.dll" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agffkn32.dll" Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giaddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjhfpoj.dll" Blkgdmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggndgpg.dll" Kmpfgklo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oilgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpjjklod.dll" Ekcdegqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbfbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnaoldi.dll" Hdilalko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaojiqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdkpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdmcbojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbmbgngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfjlh32.dll" Fpkdca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll" Oclpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojlkonpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedmheda.dll" Qpmiahlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeckdc32.dll" Hchbcmlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbiggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmplenhh.dll" Pqaanoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomai32.dll" Fkpfjnnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emailhfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbfbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcaiqfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfpkbbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfadeaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogigpllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdfcaegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoflo32.dll" Ecdffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meaiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mphfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocbbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lggpdmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbpjajc.dll" Alfflhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjomlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcpolmao.dll" Ioapnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lejbhbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kililk32.dll" Pblkgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oohokele.dll" Ckboba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Andnff32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1120 wrote to memory of 396 1120 75fc455498c98753f6d7f30c480b45d0N.exe 29 PID 1120 wrote to memory of 396 1120 75fc455498c98753f6d7f30c480b45d0N.exe 29 PID 1120 wrote to memory of 396 1120 75fc455498c98753f6d7f30c480b45d0N.exe 29 PID 1120 wrote to memory of 396 1120 75fc455498c98753f6d7f30c480b45d0N.exe 29 PID 396 wrote to memory of 2928 396 Anngkg32.exe 30 PID 396 wrote to memory of 2928 396 Anngkg32.exe 30 PID 396 wrote to memory of 2928 396 Anngkg32.exe 30 PID 396 wrote to memory of 2928 396 Anngkg32.exe 30 PID 2928 wrote to memory of 3024 2928 Aggkdlod.exe 31 PID 2928 wrote to memory of 3024 2928 Aggkdlod.exe 31 PID 2928 wrote to memory of 3024 2928 Aggkdlod.exe 31 PID 2928 wrote to memory of 3024 2928 Aggkdlod.exe 31 PID 3024 wrote to memory of 2652 3024 Bblpae32.exe 32 PID 3024 wrote to memory of 2652 3024 Bblpae32.exe 32 PID 3024 wrote to memory of 2652 3024 Bblpae32.exe 32 PID 3024 wrote to memory of 2652 3024 Bblpae32.exe 32 PID 2652 wrote to memory of 2624 2652 Bgihjl32.exe 33 PID 2652 wrote to memory of 2624 2652 Bgihjl32.exe 33 PID 2652 wrote to memory of 2624 2652 Bgihjl32.exe 33 PID 2652 wrote to memory of 2624 2652 Bgihjl32.exe 33 PID 2624 wrote to memory of 2680 2624 Bdoeipjh.exe 34 PID 2624 wrote to memory of 2680 2624 Bdoeipjh.exe 34 PID 2624 wrote to memory of 2680 2624 Bdoeipjh.exe 34 PID 2624 wrote to memory of 2680 2624 Bdoeipjh.exe 34 PID 2680 wrote to memory of 2856 2680 Bnhjae32.exe 35 PID 2680 wrote to memory of 2856 2680 Bnhjae32.exe 35 PID 2680 wrote to memory of 2856 2680 Bnhjae32.exe 35 PID 2680 wrote to memory of 2856 2680 Bnhjae32.exe 35 PID 2856 wrote to memory of 2392 2856 Bcdbjl32.exe 36 PID 2856 wrote to memory of 2392 2856 Bcdbjl32.exe 36 PID 2856 wrote to memory of 2392 2856 Bcdbjl32.exe 36 PID 2856 wrote to memory of 2392 2856 Bcdbjl32.exe 36 PID 2392 wrote to memory of 2524 2392 Bmmgbbeq.exe 37 PID 2392 wrote to memory of 2524 2392 Bmmgbbeq.exe 37 PID 2392 wrote to memory of 2524 2392 Bmmgbbeq.exe 37 PID 2392 wrote to memory of 2524 2392 Bmmgbbeq.exe 37 PID 2524 wrote to memory of 2732 2524 Bbjoki32.exe 38 PID 2524 wrote to memory of 2732 2524 Bbjoki32.exe 38 PID 2524 wrote to memory of 2732 2524 Bbjoki32.exe 38 PID 2524 wrote to memory of 2732 2524 Bbjoki32.exe 38 PID 2732 wrote to memory of 2172 2732 Conpdm32.exe 39 PID 2732 wrote to memory of 2172 2732 Conpdm32.exe 39 PID 2732 wrote to memory of 2172 2732 Conpdm32.exe 39 PID 2732 wrote to memory of 2172 2732 Conpdm32.exe 39 PID 2172 wrote to memory of 540 2172 Cifdmbib.exe 40 PID 2172 wrote to memory of 540 2172 Cifdmbib.exe 40 PID 2172 wrote to memory of 540 2172 Cifdmbib.exe 40 PID 2172 wrote to memory of 540 2172 Cifdmbib.exe 40 PID 540 wrote to memory of 2256 540 Cbnhfhoc.exe 41 PID 540 wrote to memory of 2256 540 Cbnhfhoc.exe 41 PID 540 wrote to memory of 2256 540 Cbnhfhoc.exe 41 PID 540 wrote to memory of 2256 540 Cbnhfhoc.exe 41 PID 2256 wrote to memory of 2372 2256 Cpbiolnl.exe 42 PID 2256 wrote to memory of 2372 2256 Cpbiolnl.exe 42 PID 2256 wrote to memory of 2372 2256 Cpbiolnl.exe 42 PID 2256 wrote to memory of 2372 2256 Cpbiolnl.exe 42 PID 2372 wrote to memory of 2212 2372 Cgmndokg.exe 43 PID 2372 wrote to memory of 2212 2372 Cgmndokg.exe 43 PID 2372 wrote to memory of 2212 2372 Cgmndokg.exe 43 PID 2372 wrote to memory of 2212 2372 Cgmndokg.exe 43 PID 2212 wrote to memory of 528 2212 Cafbmdbh.exe 44 PID 2212 wrote to memory of 528 2212 Cafbmdbh.exe 44 PID 2212 wrote to memory of 528 2212 Cafbmdbh.exe 44 PID 2212 wrote to memory of 528 2212 Cafbmdbh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\75fc455498c98753f6d7f30c480b45d0N.exe"C:\Users\Admin\AppData\Local\Temp\75fc455498c98753f6d7f30c480b45d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Cifdmbib.exeC:\Windows\system32\Cifdmbib.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Dgbgon32.exeC:\Windows\system32\Dgbgon32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Deonff32.exeC:\Windows\system32\Deonff32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Elkbipdi.exeC:\Windows\system32\Elkbipdi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe33⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe34⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe36⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe37⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe38⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe39⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Fldbnb32.exeC:\Windows\system32\Fldbnb32.exe42⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe43⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe45⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe46⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe47⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe48⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe49⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe50⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe51⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe52⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Himkgf32.exeC:\Windows\system32\Himkgf32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Hkndiabh.exeC:\Windows\system32\Hkndiabh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe59⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe61⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe63⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe64⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe66⤵PID:1900
-
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe67⤵PID:2576
-
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe69⤵PID:2964
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe70⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe71⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe72⤵PID:2020
-
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Kcahjqfa.exeC:\Windows\system32\Kcahjqfa.exe75⤵PID:1088
-
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe76⤵PID:2052
-
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe77⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe78⤵PID:2752
-
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe79⤵PID:3004
-
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe80⤵PID:2884
-
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe82⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe84⤵PID:2072
-
C:\Windows\SysWOW64\Mfoqephq.exeC:\Windows\system32\Mfoqephq.exe85⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe86⤵PID:2572
-
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe87⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Mqgahh32.exeC:\Windows\system32\Mqgahh32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Mbhnpplb.exeC:\Windows\system32\Mbhnpplb.exe89⤵PID:2788
-
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe91⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe92⤵PID:2708
-
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe93⤵PID:2112
-
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe94⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Niilmi32.exeC:\Windows\system32\Niilmi32.exe95⤵PID:1116
-
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe96⤵PID:600
-
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe97⤵PID:2296
-
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe98⤵PID:1020
-
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe99⤵PID:948
-
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe100⤵PID:1044
-
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe101⤵PID:1992
-
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe104⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe105⤵PID:944
-
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe106⤵PID:1284
-
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe107⤵PID:1368
-
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe108⤵PID:2252
-
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe109⤵PID:2696
-
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe110⤵PID:2160
-
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:680 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe112⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe114⤵PID:1596
-
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe116⤵PID:2840
-
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe118⤵PID:2040
-
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe119⤵PID:2396
-
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe121⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-