Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 10:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb3f7d0bd36f5e9660bac720cac10e50N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cb3f7d0bd36f5e9660bac720cac10e50N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cb3f7d0bd36f5e9660bac720cac10e50N.exe
-
Size
256KB
-
MD5
cb3f7d0bd36f5e9660bac720cac10e50
-
SHA1
380ccd278675be473dc01d706371ecea08dfb2c1
-
SHA256
013ac525d673db79b1fb6fcb4ed6642b1adedb3df403b6a6c0560c2557f1ddaf
-
SHA512
ceede06077a7c1a91f2df3dca3b662c34c449c84225ebdc4057a5925edbd883f2c7fa68d86d7e84ba615036da0c3a9628a3640ef354a1f2ea7cc84fb9b9ec293
-
SSDEEP
3072:8wvMxjgRR+pHkVuY5/I2VceK3KcWmjRrzqzWspSnocyA5qKcWmjRrzeceKSAxpcr:jqMVuYV3HVpaopOpHVILifyeYVDcfR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imjmhkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqfiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjildbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckecpjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkpakq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlmnogkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idohdhbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhgnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilfgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahelebm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcpdfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laaabo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigkbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljaigmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qblfkgqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeoek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcfdmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiaommc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakaaepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjkfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlaloaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onoqfehp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejkhlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiaommc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mneaacno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobndj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcageqgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejjnhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaednh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qekbgbpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaeehmko.exe -
Executes dropped EXE 64 IoCs
pid Process 2672 Dfkjgm32.exe 2676 Dijfch32.exe 2568 Dmgoif32.exe 2700 Dcageqgm.exe 2608 Dphhka32.exe 1684 Deeqch32.exe 1140 Epkepakn.exe 2096 Ealahi32.exe 3036 Ebknblho.exe 2428 Eejjnhgc.exe 536 Ejfbfo32.exe 2152 Ecogodlk.exe 1256 Emgkhj32.exe 2168 Efppqoil.exe 1992 Eaednh32.exe 2124 Ebfqfpop.exe 644 Fdfmpc32.exe 956 Fegjgkla.exe 1780 Fopnpaba.exe 2376 Fejfmk32.exe 1680 Fpokjd32.exe 1412 Fapgblob.exe 2868 Flfkoeoh.exe 2240 Fbpclofe.exe 2176 Fdapcg32.exe 1588 Fogdap32.exe 2560 Geqlnjcf.exe 2668 Gkmefaan.exe 2604 Gdfiofhn.exe 1600 Gkpakq32.exe 820 Gpmjcg32.exe 608 Gkbnap32.exe 2892 Gmqkml32.exe 2120 Gcmcebkc.exe 844 Gigkbm32.exe 2112 Gpacogjm.exe 2372 Gcppkbia.exe 1816 Hhmhcigh.exe 1772 Hpcpdfhj.exe 2156 Heqimm32.exe 2228 Hljaigmo.exe 3060 Hoimecmb.exe 1360 Hecebm32.exe 2072 Hlmnogkl.exe 1760 Hokjkbkp.exe 1104 Hfebhmbm.exe 1728 Hgfooe32.exe 1308 Hhfkihon.exe 584 Hjggap32.exe 2804 Hbnpbm32.exe 2752 Ikfdkc32.exe 2620 Inepgn32.exe 2548 Idohdhbo.exe 944 Igmepdbc.exe 2708 Ijlaloaf.exe 1632 Imjmhkpj.exe 628 Iqfiii32.exe 2108 Icdeee32.exe 1336 Ijnnao32.exe 1524 Immjnj32.exe 960 Icfbkded.exe 1520 Ijqjgo32.exe 1356 Iickckcl.exe 668 Iomcpe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2624 cb3f7d0bd36f5e9660bac720cac10e50N.exe 2624 cb3f7d0bd36f5e9660bac720cac10e50N.exe 2672 Dfkjgm32.exe 2672 Dfkjgm32.exe 2676 Dijfch32.exe 2676 Dijfch32.exe 2568 Dmgoif32.exe 2568 Dmgoif32.exe 2700 Dcageqgm.exe 2700 Dcageqgm.exe 2608 Dphhka32.exe 2608 Dphhka32.exe 1684 Deeqch32.exe 1684 Deeqch32.exe 1140 Epkepakn.exe 1140 Epkepakn.exe 2096 Ealahi32.exe 2096 Ealahi32.exe 3036 Ebknblho.exe 3036 Ebknblho.exe 2428 Eejjnhgc.exe 2428 Eejjnhgc.exe 536 Ejfbfo32.exe 536 Ejfbfo32.exe 2152 Ecogodlk.exe 2152 Ecogodlk.exe 1256 Emgkhj32.exe 1256 Emgkhj32.exe 2168 Efppqoil.exe 2168 Efppqoil.exe 1992 Eaednh32.exe 1992 Eaednh32.exe 2124 Ebfqfpop.exe 2124 Ebfqfpop.exe 644 Fdfmpc32.exe 644 Fdfmpc32.exe 956 Fegjgkla.exe 956 Fegjgkla.exe 1780 Fopnpaba.exe 1780 Fopnpaba.exe 2376 Fejfmk32.exe 2376 Fejfmk32.exe 1680 Fpokjd32.exe 1680 Fpokjd32.exe 1412 Fapgblob.exe 1412 Fapgblob.exe 2868 Flfkoeoh.exe 2868 Flfkoeoh.exe 2240 Fbpclofe.exe 2240 Fbpclofe.exe 2176 Fdapcg32.exe 2176 Fdapcg32.exe 1588 Fogdap32.exe 1588 Fogdap32.exe 2560 Geqlnjcf.exe 2560 Geqlnjcf.exe 2668 Gkmefaan.exe 2668 Gkmefaan.exe 2604 Gdfiofhn.exe 2604 Gdfiofhn.exe 1600 Gkpakq32.exe 1600 Gkpakq32.exe 820 Gpmjcg32.exe 820 Gpmjcg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iiobie32.dll Jgmaog32.exe File opened for modification C:\Windows\SysWOW64\Llpoohik.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Eikimeff.exe Ebappk32.exe File created C:\Windows\SysWOW64\Ndmomfda.dll Ecogodlk.exe File created C:\Windows\SysWOW64\Eaednh32.exe Efppqoil.exe File created C:\Windows\SysWOW64\Hlmnogkl.exe Hecebm32.exe File opened for modification C:\Windows\SysWOW64\Hhmhcigh.exe Gcppkbia.exe File created C:\Windows\SysWOW64\Pjjkfe32.exe Pfnoegaf.exe File opened for modification C:\Windows\SysWOW64\Fdfmpc32.exe Ebfqfpop.exe File created C:\Windows\SysWOW64\Igmepdbc.exe Idohdhbo.exe File opened for modification C:\Windows\SysWOW64\Koibpd32.exe Khojcj32.exe File opened for modification C:\Windows\SysWOW64\Lolofd32.exe Klmbjh32.exe File created C:\Windows\SysWOW64\Jcgalk32.dll Laaabo32.exe File opened for modification C:\Windows\SysWOW64\Ammmlcgi.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Hokjkbkp.exe Hlmnogkl.exe File opened for modification C:\Windows\SysWOW64\Miclhpjp.exe Maldfbjn.exe File created C:\Windows\SysWOW64\Cpdhna32.exe Cnflae32.exe File opened for modification C:\Windows\SysWOW64\Gkpakq32.exe Gdfiofhn.exe File created C:\Windows\SysWOW64\Iqfiii32.exe Imjmhkpj.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jihdnk32.exe File opened for modification C:\Windows\SysWOW64\Lalhgogb.exe Lonlkcho.exe File opened for modification C:\Windows\SysWOW64\Mkdioh32.exe Mlahdkjc.exe File created C:\Windows\SysWOW64\Anecfgdc.exe Qlggjlep.exe File opened for modification C:\Windows\SysWOW64\Dfkjgm32.exe cb3f7d0bd36f5e9660bac720cac10e50N.exe File created C:\Windows\SysWOW64\Nkjodc32.dll Fegjgkla.exe File created C:\Windows\SysWOW64\Gigkbm32.exe Gcmcebkc.exe File created C:\Windows\SysWOW64\Jnemfa32.exe Jkfpjf32.exe File opened for modification C:\Windows\SysWOW64\Dmgoif32.exe Dijfch32.exe File created C:\Windows\SysWOW64\Akfagoln.dll Lolofd32.exe File created C:\Windows\SysWOW64\Blgcio32.exe Bhkghqpb.exe File created C:\Windows\SysWOW64\Okobem32.dll Dkjhjm32.exe File created C:\Windows\SysWOW64\Enoinika.dll Dnhefh32.exe File created C:\Windows\SysWOW64\Fapgblob.exe Fpokjd32.exe File opened for modification C:\Windows\SysWOW64\Icdeee32.exe Iqfiii32.exe File created C:\Windows\SysWOW64\Phbleodi.dll Jjpgfbom.exe File created C:\Windows\SysWOW64\Ngeljh32.exe Ncipjieo.exe File created C:\Windows\SysWOW64\Plbmom32.exe Phgannal.exe File opened for modification C:\Windows\SysWOW64\Qemomb32.exe Qncfphff.exe File created C:\Windows\SysWOW64\Ammmlcgi.exe Aiaqle32.exe File opened for modification C:\Windows\SysWOW64\Bakaaepk.exe Boleejag.exe File created C:\Windows\SysWOW64\Gpacogjm.exe Gigkbm32.exe File opened for modification C:\Windows\SysWOW64\Inepgn32.exe Ikfdkc32.exe File opened for modification C:\Windows\SysWOW64\Lophacfl.exe Lfippfej.exe File created C:\Windows\SysWOW64\Okeqhl32.dll Njnokdaq.exe File created C:\Windows\SysWOW64\Bakaaepk.exe Boleejag.exe File created C:\Windows\SysWOW64\Jfmjemjh.dll Kjbclamj.exe File opened for modification C:\Windows\SysWOW64\Qnqjkh32.exe Plbmom32.exe File opened for modification C:\Windows\SysWOW64\Jgmaog32.exe Jnemfa32.exe File created C:\Windows\SysWOW64\Jfhmqaaj.dll Kppldhla.exe File created C:\Windows\SysWOW64\Lbeede32.dll Miclhpjp.exe File created C:\Windows\SysWOW64\Fdffdghm.dll Mneaacno.exe File created C:\Windows\SysWOW64\Amoibc32.exe Ajamfh32.exe File created C:\Windows\SysWOW64\Bikcbc32.exe Bbqkeioh.exe File created C:\Windows\SysWOW64\Kfggkc32.exe Jcikog32.exe File created C:\Windows\SysWOW64\Kppegfpa.dll Bggjjlnb.exe File created C:\Windows\SysWOW64\Lbogaf32.dll Cffjagko.exe File opened for modification C:\Windows\SysWOW64\Iomcpe32.exe Iickckcl.exe File opened for modification C:\Windows\SysWOW64\Maoalb32.exe Mclqqeaq.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Plbmom32.exe File created C:\Windows\SysWOW64\Bknmok32.exe Bimphc32.exe File created C:\Windows\SysWOW64\Fpfjap32.dll Ckhpejbf.exe File created C:\Windows\SysWOW64\Emgkhj32.exe Ecogodlk.exe File opened for modification C:\Windows\SysWOW64\Fogdap32.exe Fdapcg32.exe File opened for modification C:\Windows\SysWOW64\Pflbpg32.exe Pcnfdl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4100 5116 WerFault.exe 355 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejfmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpnoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjmhkpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adiaommc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boleejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebknblho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaednh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miapbpmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejjnhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldfbjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdpohodn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcemnopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlahdkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpmimbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcofica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnnlboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joppeeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkdckff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmnogkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amafgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpclofe.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaqnfnep.dll" Kfggkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amoibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inncclpb.dll" Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckinbali.dll" Cglcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchdpibh.dll" Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befaceaa.dll" Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfaddpc.dll" Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmjjmp32.dll" Dijfch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlqejic.dll" Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebfqfpop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihcbim32.dll" Qblfkgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahngomkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdngip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nobndj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegaol32.dll" Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlbn32.dll" Apnfno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfbd32.dll" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbole32.dll" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clnehado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maldfbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjkphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhbig32.dll" Imjmhkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejapnc32.dll" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofohkkf.dll" Kihpmnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnnmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgein32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okpdjjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Plbmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqngcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhgonnp.dll" Fdapcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmqkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfkihon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijnnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldkdckff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kembmblk.dll" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejfbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldeik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfjbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjalhpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2672 2624 cb3f7d0bd36f5e9660bac720cac10e50N.exe 30 PID 2624 wrote to memory of 2672 2624 cb3f7d0bd36f5e9660bac720cac10e50N.exe 30 PID 2624 wrote to memory of 2672 2624 cb3f7d0bd36f5e9660bac720cac10e50N.exe 30 PID 2624 wrote to memory of 2672 2624 cb3f7d0bd36f5e9660bac720cac10e50N.exe 30 PID 2672 wrote to memory of 2676 2672 Dfkjgm32.exe 31 PID 2672 wrote to memory of 2676 2672 Dfkjgm32.exe 31 PID 2672 wrote to memory of 2676 2672 Dfkjgm32.exe 31 PID 2672 wrote to memory of 2676 2672 Dfkjgm32.exe 31 PID 2676 wrote to memory of 2568 2676 Dijfch32.exe 32 PID 2676 wrote to memory of 2568 2676 Dijfch32.exe 32 PID 2676 wrote to memory of 2568 2676 Dijfch32.exe 32 PID 2676 wrote to memory of 2568 2676 Dijfch32.exe 32 PID 2568 wrote to memory of 2700 2568 Dmgoif32.exe 33 PID 2568 wrote to memory of 2700 2568 Dmgoif32.exe 33 PID 2568 wrote to memory of 2700 2568 Dmgoif32.exe 33 PID 2568 wrote to memory of 2700 2568 Dmgoif32.exe 33 PID 2700 wrote to memory of 2608 2700 Dcageqgm.exe 34 PID 2700 wrote to memory of 2608 2700 Dcageqgm.exe 34 PID 2700 wrote to memory of 2608 2700 Dcageqgm.exe 34 PID 2700 wrote to memory of 2608 2700 Dcageqgm.exe 34 PID 2608 wrote to memory of 1684 2608 Dphhka32.exe 35 PID 2608 wrote to memory of 1684 2608 Dphhka32.exe 35 PID 2608 wrote to memory of 1684 2608 Dphhka32.exe 35 PID 2608 wrote to memory of 1684 2608 Dphhka32.exe 35 PID 1684 wrote to memory of 1140 1684 Deeqch32.exe 36 PID 1684 wrote to memory of 1140 1684 Deeqch32.exe 36 PID 1684 wrote to memory of 1140 1684 Deeqch32.exe 36 PID 1684 wrote to memory of 1140 1684 Deeqch32.exe 36 PID 1140 wrote to memory of 2096 1140 Epkepakn.exe 37 PID 1140 wrote to memory of 2096 1140 Epkepakn.exe 37 PID 1140 wrote to memory of 2096 1140 Epkepakn.exe 37 PID 1140 wrote to memory of 2096 1140 Epkepakn.exe 37 PID 2096 wrote to memory of 3036 2096 Ealahi32.exe 38 PID 2096 wrote to memory of 3036 2096 Ealahi32.exe 38 PID 2096 wrote to memory of 3036 2096 Ealahi32.exe 38 PID 2096 wrote to memory of 3036 2096 Ealahi32.exe 38 PID 3036 wrote to memory of 2428 3036 Ebknblho.exe 39 PID 3036 wrote to memory of 2428 3036 Ebknblho.exe 39 PID 3036 wrote to memory of 2428 3036 Ebknblho.exe 39 PID 3036 wrote to memory of 2428 3036 Ebknblho.exe 39 PID 2428 wrote to memory of 536 2428 Eejjnhgc.exe 40 PID 2428 wrote to memory of 536 2428 Eejjnhgc.exe 40 PID 2428 wrote to memory of 536 2428 Eejjnhgc.exe 40 PID 2428 wrote to memory of 536 2428 Eejjnhgc.exe 40 PID 536 wrote to memory of 2152 536 Ejfbfo32.exe 41 PID 536 wrote to memory of 2152 536 Ejfbfo32.exe 41 PID 536 wrote to memory of 2152 536 Ejfbfo32.exe 41 PID 536 wrote to memory of 2152 536 Ejfbfo32.exe 41 PID 2152 wrote to memory of 1256 2152 Ecogodlk.exe 42 PID 2152 wrote to memory of 1256 2152 Ecogodlk.exe 42 PID 2152 wrote to memory of 1256 2152 Ecogodlk.exe 42 PID 2152 wrote to memory of 1256 2152 Ecogodlk.exe 42 PID 1256 wrote to memory of 2168 1256 Emgkhj32.exe 43 PID 1256 wrote to memory of 2168 1256 Emgkhj32.exe 43 PID 1256 wrote to memory of 2168 1256 Emgkhj32.exe 43 PID 1256 wrote to memory of 2168 1256 Emgkhj32.exe 43 PID 2168 wrote to memory of 1992 2168 Efppqoil.exe 44 PID 2168 wrote to memory of 1992 2168 Efppqoil.exe 44 PID 2168 wrote to memory of 1992 2168 Efppqoil.exe 44 PID 2168 wrote to memory of 1992 2168 Efppqoil.exe 44 PID 1992 wrote to memory of 2124 1992 Eaednh32.exe 45 PID 1992 wrote to memory of 2124 1992 Eaednh32.exe 45 PID 1992 wrote to memory of 2124 1992 Eaednh32.exe 45 PID 1992 wrote to memory of 2124 1992 Eaednh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3f7d0bd36f5e9660bac720cac10e50N.exe"C:\Users\Admin\AppData\Local\Temp\cb3f7d0bd36f5e9660bac720cac10e50N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe37⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe39⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe43⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe46⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe47⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe48⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe50⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe51⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe55⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe61⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe62⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe63⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe65⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe66⤵PID:1428
-
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe68⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe69⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe70⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe71⤵PID:2704
-
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe72⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe73⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe75⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe76⤵PID:2592
-
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe77⤵PID:1440
-
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe79⤵PID:2188
-
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe80⤵PID:2916
-
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe81⤵PID:2936
-
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe83⤵PID:1504
-
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe85⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe86⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe87⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe88⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe89⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe90⤵PID:1496
-
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe92⤵PID:2180
-
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe93⤵PID:348
-
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe94⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe95⤵PID:2020
-
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe96⤵PID:1056
-
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe97⤵PID:2664
-
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe98⤵PID:2636
-
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe99⤵PID:2736
-
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe100⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe101⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe102⤵PID:112
-
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe103⤵PID:2332
-
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe105⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe106⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe107⤵PID:3028
-
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe110⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe111⤵PID:2036
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe114⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe116⤵PID:1736
-
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe117⤵PID:2476
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe118⤵PID:848
-
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe121⤵PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-