Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 19:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf657f38bc957036fd083d9248dab2b0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cf657f38bc957036fd083d9248dab2b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cf657f38bc957036fd083d9248dab2b0N.exe
-
Size
359KB
-
MD5
cf657f38bc957036fd083d9248dab2b0
-
SHA1
88fa21684995d99ad4250e0427a1695e8db3db60
-
SHA256
df164d6fac729fa20cbe37cb8ce7a9b6be5dfd089439db8cdeddfa0f00a2b1ba
-
SHA512
2f44c4f46d33f7fc717546d3b0635be89453c73309817b13dbdbc60ea649371b835f832b7568eab48f13d21c90ca007afb61715ee8c5a42f725c8c2751118454
-
SSDEEP
6144:8Bsbu63EzZmk4fYVrOigcC6oQ6+EcC6oQ6+YahBQyiTACPTRN6+YahBQyiTAgiuf:Gsb1bkbK9E6n9E6vah6yiMCPTRN6vahm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklbhdga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkhdnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpdfjjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkebgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhmbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmlfcel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgefn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehclbpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcimhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndiomdde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omeini32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfaocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flbehbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaeacppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkghqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdhdlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iklbhdga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnkji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcpqfgol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfadoaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnofng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iijbnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efpbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lggdfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpllpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hedllgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblpae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dofnnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbfhcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldnqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkocfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llfcik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfgdij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekblplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfebdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcied32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baiingae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmlal32.exe -
Executes dropped EXE 64 IoCs
pid Process 2772 Nhmbdl32.exe 2784 Nnjklb32.exe 2744 Nnlhab32.exe 2684 Odacbpee.exe 2692 Onjgkf32.exe 2544 Okpdjjil.exe 2032 Pncjad32.exe 2936 Plndcmmj.exe 1100 Pidaba32.exe 1848 Amhcad32.exe 2160 Aaflgb32.exe 464 Aldfcpjn.exe 2396 Bhkghqpb.exe 2284 Boleejag.exe 1972 Cncolfcl.exe 1356 Chbihc32.exe 2888 Dbadagln.exe 1524 Dnjalhpp.exe 2000 Efffpjmk.exe 760 Embkbdce.exe 2424 Eepmlf32.exe 1564 Einebddd.exe 2316 Fakglf32.exe 864 Fnadkjlc.exe 2476 Gbcien32.exe 2604 Ghekhd32.exe 2780 Ghghnc32.exe 2608 Gaplfinb.exe 2092 Hdgkicek.exe 924 Hjddaj32.exe 2012 Iaaekl32.exe 1000 Iklfia32.exe 1152 Ikocoa32.exe 572 Jqnhmgmk.exe 2992 Jqpebg32.exe 2148 Jqbbhg32.exe 2392 Kiemmh32.exe 2220 Knaeeo32.exe 2344 Kbpnkm32.exe 2252 Kmiolk32.exe 1628 Kgocid32.exe 2084 Kmklak32.exe 880 Lpoaheja.exe 1784 Lekjal32.exe 1792 Lpanne32.exe 1876 Liibgkoo.exe 2404 Mdgmbhgh.exe 3044 Mmbnam32.exe 868 Npechhgd.exe 2728 Nphpng32.exe 2860 Nedifo32.exe 2384 Nkaane32.exe 2856 Nhebhipj.exe 740 Neibanod.exe 272 Noagjc32.exe 2236 Okhgod32.exe 2332 Occlcg32.exe 2448 Ocfiif32.exe 1360 Oomjng32.exe 2364 Omqjgl32.exe 1600 Obnbpb32.exe 1040 Pigklmqc.exe 1788 Pbpoebgc.exe 2028 Pkhdnh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 cf657f38bc957036fd083d9248dab2b0N.exe 2240 cf657f38bc957036fd083d9248dab2b0N.exe 2772 Nhmbdl32.exe 2772 Nhmbdl32.exe 2784 Nnjklb32.exe 2784 Nnjklb32.exe 2744 Nnlhab32.exe 2744 Nnlhab32.exe 2684 Odacbpee.exe 2684 Odacbpee.exe 2692 Onjgkf32.exe 2692 Onjgkf32.exe 2544 Okpdjjil.exe 2544 Okpdjjil.exe 2032 Pncjad32.exe 2032 Pncjad32.exe 2936 Plndcmmj.exe 2936 Plndcmmj.exe 1100 Pidaba32.exe 1100 Pidaba32.exe 1848 Amhcad32.exe 1848 Amhcad32.exe 2160 Aaflgb32.exe 2160 Aaflgb32.exe 464 Aldfcpjn.exe 464 Aldfcpjn.exe 2396 Bhkghqpb.exe 2396 Bhkghqpb.exe 2284 Boleejag.exe 2284 Boleejag.exe 1972 Cncolfcl.exe 1972 Cncolfcl.exe 1356 Chbihc32.exe 1356 Chbihc32.exe 2888 Dbadagln.exe 2888 Dbadagln.exe 1524 Dnjalhpp.exe 1524 Dnjalhpp.exe 2000 Efffpjmk.exe 2000 Efffpjmk.exe 760 Embkbdce.exe 760 Embkbdce.exe 2424 Eepmlf32.exe 2424 Eepmlf32.exe 1564 Einebddd.exe 1564 Einebddd.exe 2316 Fakglf32.exe 2316 Fakglf32.exe 864 Fnadkjlc.exe 864 Fnadkjlc.exe 2828 Gbffjmmp.exe 2828 Gbffjmmp.exe 2604 Ghekhd32.exe 2604 Ghekhd32.exe 2780 Ghghnc32.exe 2780 Ghghnc32.exe 2608 Gaplfinb.exe 2608 Gaplfinb.exe 2092 Hdgkicek.exe 2092 Hdgkicek.exe 924 Hjddaj32.exe 924 Hjddaj32.exe 2012 Iaaekl32.exe 2012 Iaaekl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Poaamlnm.dll Hpdbmooo.exe File created C:\Windows\SysWOW64\Hnjompcl.dll Jiinmnaa.exe File created C:\Windows\SysWOW64\Idokma32.exe Igkjcm32.exe File created C:\Windows\SysWOW64\Nhfdqb32.exe Nhcgkbja.exe File created C:\Windows\SysWOW64\Hhbfpj32.exe Hmheol32.exe File created C:\Windows\SysWOW64\Acjfpokk.exe Afffgjma.exe File created C:\Windows\SysWOW64\Nijcgp32.exe Mgigpgkd.exe File opened for modification C:\Windows\SysWOW64\Lkoidcaj.exe Klimcf32.exe File created C:\Windows\SysWOW64\Dcigjjli.dll Apkbnibq.exe File opened for modification C:\Windows\SysWOW64\Jflgph32.exe Jfjjkhhg.exe File created C:\Windows\SysWOW64\Gnbelong.exe Gfgpgmql.exe File opened for modification C:\Windows\SysWOW64\Odmgnl32.exe Nlabjj32.exe File opened for modification C:\Windows\SysWOW64\Ahdkhp32.exe Aokfpjai.exe File created C:\Windows\SysWOW64\Icbldbgi.exe Imidgh32.exe File opened for modification C:\Windows\SysWOW64\Iiodliep.exe Icbldbgi.exe File created C:\Windows\SysWOW64\Heknhioh.dll Nknnnoph.exe File created C:\Windows\SysWOW64\Hjieapck.exe Gnbelong.exe File opened for modification C:\Windows\SysWOW64\Kocodbpk.exe Kekkkm32.exe File created C:\Windows\SysWOW64\Jpndkj32.exe Jongag32.exe File created C:\Windows\SysWOW64\Eaflfbko.dll Amhcad32.exe File opened for modification C:\Windows\SysWOW64\Njipabhe.exe Nijcgp32.exe File created C:\Windows\SysWOW64\Mjlejl32.exe Lcppgbjd.exe File created C:\Windows\SysWOW64\Fpmepl32.dll Ckhbnb32.exe File created C:\Windows\SysWOW64\Kogohg32.dll Elqcnfdp.exe File created C:\Windows\SysWOW64\Mdpnaccc.dll Kfopdk32.exe File opened for modification C:\Windows\SysWOW64\Aiimfi32.exe Qkelme32.exe File created C:\Windows\SysWOW64\Gmnlog32.exe Gcfgfack.exe File created C:\Windows\SysWOW64\Hjhchg32.exe Gnabcf32.exe File opened for modification C:\Windows\SysWOW64\Plndcmmj.exe Pncjad32.exe File opened for modification C:\Windows\SysWOW64\Iopeoknn.exe Hdkaabnh.exe File created C:\Windows\SysWOW64\Bbiboe32.dll Eqnillbb.exe File created C:\Windows\SysWOW64\Ohjmlaci.exe Omeini32.exe File created C:\Windows\SysWOW64\Dbknfn32.dll Omeini32.exe File created C:\Windows\SysWOW64\Hjeace32.dll Kneflplf.exe File opened for modification C:\Windows\SysWOW64\Kioiffcn.exe Kpgdnp32.exe File created C:\Windows\SysWOW64\Gnofng32.exe Gegaeabe.exe File created C:\Windows\SysWOW64\Lmlnjcgg.exe Kqemeb32.exe File created C:\Windows\SysWOW64\Ihceebkc.dll Eehndm32.exe File created C:\Windows\SysWOW64\Flmlmc32.exe Fgqcel32.exe File opened for modification C:\Windows\SysWOW64\Mliibj32.exe Mjkmfn32.exe File created C:\Windows\SysWOW64\Jcfddmhe.dll Pkhdnh32.exe File created C:\Windows\SysWOW64\Mpkjgckc.exe Mddibb32.exe File created C:\Windows\SysWOW64\Dmecokhm.exe Dcpoab32.exe File created C:\Windows\SysWOW64\Abfjga32.dll Hhbfpj32.exe File created C:\Windows\SysWOW64\Elnoff32.dll Ekjgbi32.exe File created C:\Windows\SysWOW64\Koehka32.dll Hobjia32.exe File created C:\Windows\SysWOW64\Pgcnnh32.exe Pbgefa32.exe File opened for modification C:\Windows\SysWOW64\Niijdq32.exe Mbobgfnf.exe File opened for modification C:\Windows\SysWOW64\Nfcfob32.exe Njjieace.exe File created C:\Windows\SysWOW64\Dlpdfjjp.exe Coldmfkf.exe File opened for modification C:\Windows\SysWOW64\Ohjmlaci.exe Omeini32.exe File created C:\Windows\SysWOW64\Liacqlhg.dll Kpiihgoh.exe File created C:\Windows\SysWOW64\Mjkmfn32.exe Llgllj32.exe File created C:\Windows\SysWOW64\Ibfmgg32.dll Kiemmh32.exe File created C:\Windows\SysWOW64\Fjajno32.exe Fnjiin32.exe File created C:\Windows\SysWOW64\Iimenapo.exe Iflmlfcn.exe File created C:\Windows\SysWOW64\Elqcnfdp.exe Eagbnh32.exe File created C:\Windows\SysWOW64\Efffpjmk.exe Dnjalhpp.exe File opened for modification C:\Windows\SysWOW64\Lnlaomae.exe Kioiffcn.exe File opened for modification C:\Windows\SysWOW64\Olopjddf.exe Oingii32.exe File created C:\Windows\SysWOW64\Ghjajqph.dll Mnaiah32.exe File created C:\Windows\SysWOW64\Iloilcci.exe Ilmlfcel.exe File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe Jlaeab32.exe File opened for modification C:\Windows\SysWOW64\Dnjalhpp.exe Dbadagln.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3488 4188 WerFault.exe 589 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieppjclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbfpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdlbckee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgfpbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkocfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgomoboc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaflgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apclnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphpdhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdljghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhopjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjhnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajociq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbjgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimenapo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekigip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloilcci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmlacdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoipnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghekhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgdjqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boleejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpllpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjjmbgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiihgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldnqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiemmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigklmqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjemoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkaabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcmlnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnelmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henjnica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolbjahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbodpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghghnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdodmlcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihcdkom.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afhpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lneggnqk.dll" Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjajqph.dll" Mnaiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qicoleno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Empphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blodefdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfepid.dll" Dcpoab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfgcieii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcamln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhhea32.dll" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnmpd32.dll" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimgpgk.dll" Fdekigip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfjelcc.dll" Fdjddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnabcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdbab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll" Pbpoebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iceojc32.dll" Mblcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfekjn32.dll" Pgcnnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfkkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmaao32.dll" Nphpng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgbejj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmbmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joeido32.dll" Nijcgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lehfafgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cojghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfkokh32.dll" Ihqilnig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafkhioi.dll" Empphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbppqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfoci32.dll" Kocodbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhebhipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chapbi32.dll" Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikncjoq.dll" Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojholgi.dll" Llgllj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcelb32.dll" Ipfkabpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnoff32.dll" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imooak32.dll" Ofnppgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbldbgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefkcp32.dll" Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jljeeqfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hklhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfmgg32.dll" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipfkabpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlejhf32.dll" Mcekkkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olioeoeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqgahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpkjgckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhmomjib.dll" Dbmlal32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2772 2240 cf657f38bc957036fd083d9248dab2b0N.exe 30 PID 2240 wrote to memory of 2772 2240 cf657f38bc957036fd083d9248dab2b0N.exe 30 PID 2240 wrote to memory of 2772 2240 cf657f38bc957036fd083d9248dab2b0N.exe 30 PID 2240 wrote to memory of 2772 2240 cf657f38bc957036fd083d9248dab2b0N.exe 30 PID 2772 wrote to memory of 2784 2772 Nhmbdl32.exe 31 PID 2772 wrote to memory of 2784 2772 Nhmbdl32.exe 31 PID 2772 wrote to memory of 2784 2772 Nhmbdl32.exe 31 PID 2772 wrote to memory of 2784 2772 Nhmbdl32.exe 31 PID 2784 wrote to memory of 2744 2784 Nnjklb32.exe 32 PID 2784 wrote to memory of 2744 2784 Nnjklb32.exe 32 PID 2784 wrote to memory of 2744 2784 Nnjklb32.exe 32 PID 2784 wrote to memory of 2744 2784 Nnjklb32.exe 32 PID 2744 wrote to memory of 2684 2744 Nnlhab32.exe 33 PID 2744 wrote to memory of 2684 2744 Nnlhab32.exe 33 PID 2744 wrote to memory of 2684 2744 Nnlhab32.exe 33 PID 2744 wrote to memory of 2684 2744 Nnlhab32.exe 33 PID 2684 wrote to memory of 2692 2684 Odacbpee.exe 34 PID 2684 wrote to memory of 2692 2684 Odacbpee.exe 34 PID 2684 wrote to memory of 2692 2684 Odacbpee.exe 34 PID 2684 wrote to memory of 2692 2684 Odacbpee.exe 34 PID 2692 wrote to memory of 2544 2692 Onjgkf32.exe 35 PID 2692 wrote to memory of 2544 2692 Onjgkf32.exe 35 PID 2692 wrote to memory of 2544 2692 Onjgkf32.exe 35 PID 2692 wrote to memory of 2544 2692 Onjgkf32.exe 35 PID 2544 wrote to memory of 2032 2544 Okpdjjil.exe 36 PID 2544 wrote to memory of 2032 2544 Okpdjjil.exe 36 PID 2544 wrote to memory of 2032 2544 Okpdjjil.exe 36 PID 2544 wrote to memory of 2032 2544 Okpdjjil.exe 36 PID 2032 wrote to memory of 2936 2032 Pncjad32.exe 37 PID 2032 wrote to memory of 2936 2032 Pncjad32.exe 37 PID 2032 wrote to memory of 2936 2032 Pncjad32.exe 37 PID 2032 wrote to memory of 2936 2032 Pncjad32.exe 37 PID 2936 wrote to memory of 1100 2936 Plndcmmj.exe 38 PID 2936 wrote to memory of 1100 2936 Plndcmmj.exe 38 PID 2936 wrote to memory of 1100 2936 Plndcmmj.exe 38 PID 2936 wrote to memory of 1100 2936 Plndcmmj.exe 38 PID 1100 wrote to memory of 1848 1100 Pidaba32.exe 39 PID 1100 wrote to memory of 1848 1100 Pidaba32.exe 39 PID 1100 wrote to memory of 1848 1100 Pidaba32.exe 39 PID 1100 wrote to memory of 1848 1100 Pidaba32.exe 39 PID 1848 wrote to memory of 2160 1848 Amhcad32.exe 40 PID 1848 wrote to memory of 2160 1848 Amhcad32.exe 40 PID 1848 wrote to memory of 2160 1848 Amhcad32.exe 40 PID 1848 wrote to memory of 2160 1848 Amhcad32.exe 40 PID 2160 wrote to memory of 464 2160 Aaflgb32.exe 41 PID 2160 wrote to memory of 464 2160 Aaflgb32.exe 41 PID 2160 wrote to memory of 464 2160 Aaflgb32.exe 41 PID 2160 wrote to memory of 464 2160 Aaflgb32.exe 41 PID 464 wrote to memory of 2396 464 Aldfcpjn.exe 42 PID 464 wrote to memory of 2396 464 Aldfcpjn.exe 42 PID 464 wrote to memory of 2396 464 Aldfcpjn.exe 42 PID 464 wrote to memory of 2396 464 Aldfcpjn.exe 42 PID 2396 wrote to memory of 2284 2396 Bhkghqpb.exe 43 PID 2396 wrote to memory of 2284 2396 Bhkghqpb.exe 43 PID 2396 wrote to memory of 2284 2396 Bhkghqpb.exe 43 PID 2396 wrote to memory of 2284 2396 Bhkghqpb.exe 43 PID 2284 wrote to memory of 1972 2284 Boleejag.exe 44 PID 2284 wrote to memory of 1972 2284 Boleejag.exe 44 PID 2284 wrote to memory of 1972 2284 Boleejag.exe 44 PID 2284 wrote to memory of 1972 2284 Boleejag.exe 44 PID 1972 wrote to memory of 1356 1972 Cncolfcl.exe 45 PID 1972 wrote to memory of 1356 1972 Cncolfcl.exe 45 PID 1972 wrote to memory of 1356 1972 Cncolfcl.exe 45 PID 1972 wrote to memory of 1356 1972 Cncolfcl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf657f38bc957036fd083d9248dab2b0N.exe"C:\Users\Admin\AppData\Local\Temp\cf657f38bc957036fd083d9248dab2b0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Dnjalhpp.exeC:\Windows\system32\Dnjalhpp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe26⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe34⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe35⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe36⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe37⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe38⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe40⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe41⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe44⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe46⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe48⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe49⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Nedifo32.exeC:\Windows\system32\Nedifo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe56⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:272 -
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe58⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe59⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe60⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Oomjng32.exeC:\Windows\system32\Oomjng32.exe61⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe62⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe63⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe67⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe68⤵PID:860
-
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe69⤵PID:2796
-
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe70⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Pgcnnh32.exeC:\Windows\system32\Pgcnnh32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe72⤵PID:1892
-
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe73⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe75⤵PID:3060
-
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe76⤵PID:1920
-
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe77⤵PID:2368
-
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe79⤵PID:316
-
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe80⤵PID:812
-
C:\Windows\SysWOW64\Bdodmlcm.exeC:\Windows\system32\Bdodmlcm.exe81⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe82⤵PID:792
-
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe83⤵PID:2508
-
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe84⤵PID:336
-
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe85⤵PID:2928
-
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe86⤵PID:2480
-
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe87⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe88⤵PID:2804
-
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe89⤵PID:2636
-
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe90⤵PID:2572
-
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe91⤵PID:1232
-
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe92⤵PID:752
-
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe93⤵PID:1348
-
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe94⤵PID:1476
-
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe95⤵PID:436
-
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe96⤵PID:2136
-
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:376 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe98⤵PID:1796
-
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe99⤵PID:1956
-
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe100⤵PID:2924
-
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe102⤵PID:980
-
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe103⤵PID:2656
-
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe104⤵PID:1140
-
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe106⤵PID:2808
-
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe108⤵PID:2696
-
C:\Windows\SysWOW64\Gjemoi32.exeC:\Windows\system32\Gjemoi32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe110⤵PID:1940
-
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Hfnkji32.exeC:\Windows\system32\Hfnkji32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe114⤵PID:2256
-
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe117⤵PID:592
-
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe118⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Idokma32.exeC:\Windows\system32\Idokma32.exe119⤵PID:1916
-
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe120⤵
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-