Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b758f4bc3f5ce0f0c16203e517c26d00N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b758f4bc3f5ce0f0c16203e517c26d00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b758f4bc3f5ce0f0c16203e517c26d00N.exe
-
Size
98KB
-
MD5
b758f4bc3f5ce0f0c16203e517c26d00
-
SHA1
4231716bbf24f43442eba97fa16f58f7d717650d
-
SHA256
2f6e5579fc93aef4a5710a54fdc5932e1e34eedd978b0bccfcfed8715b7ab337
-
SHA512
52f533b6cf4e236c012f43d36d0ba1c33a9335f9a783a514dbd53cb57ec3f9cdd36283a0731fadc9c615cf0a4a4b07ce0aa54032ba5fae3ba8e220e4b38e07c1
-
SSDEEP
3072:H39efRs5tnNeLwzNOEReFKPD375lHzpa1P:H39efoVNVzNOEReYr75lHzpaF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjblboj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfcfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaljjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khjkiikl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihqbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhagiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diklpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elndpnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkeeikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqkgbkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqkgbkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dghjmlnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpmdff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdoocdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elqcnfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhmfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdiigbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdiigbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pacbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hekhid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaibajp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfkhbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opennf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbcjca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipaklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mljnaocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfljmmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpccgppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnmmidhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfgdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdigakic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppqqbjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbpfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfjpemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonqca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnjhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahancp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdcfle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflonn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecjco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agilkijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjahfkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmahkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlepjbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeiooea.exe -
Executes dropped EXE 64 IoCs
pid Process 2072 Jnjhjj32.exe 2900 Jqhdfe32.exe 2312 Jgbmco32.exe 2792 Kggfnoch.exe 2552 Keappgmg.exe 2752 Kfaljjdj.exe 1396 Ljcbcngi.exe 2424 Lggbmbfc.exe 2336 Lflonn32.exe 2972 Ladpagin.exe 2332 Mmkafhnb.exe 460 Mpkjgckc.exe 2220 Mejoei32.exe 1800 Noepdo32.exe 1628 Nogmin32.exe 2396 Nianjl32.exe 2440 Nmogpj32.exe 3044 Nmacej32.exe 2452 Oihdjk32.exe 2284 Oaciom32.exe 1312 Onmfin32.exe 1872 Ohbjgg32.exe 692 Pcnhmdli.exe 1784 Pncljmko.exe 584 Pmiikipg.exe 2740 Aadakl32.exe 2064 Ajmfca32.exe 2828 Ammoel32.exe 2824 Bclqme32.exe 2604 Bpbabf32.exe 2956 Bikfklni.exe 2168 Bbcjca32.exe 904 Bmohjooe.exe 2428 Cfhlbe32.exe 2732 Chgimh32.exe 2128 Cbajme32.exe 1672 Clinfk32.exe 572 Ceacoqfi.exe 1696 Cgaoic32.exe 920 Defljp32.exe 3012 Dcjmcd32.exe 680 Dhgelk32.exe 1084 Dhibakmb.exe 1460 Dhlogjko.exe 1332 Dnhgoa32.exe 1652 Ddbolkac.exe 564 Elndpnnn.exe 732 Effhic32.exe 2928 Ecjibgdh.exe 1700 Elbmkm32.exe 2800 Ehinpnpm.exe 2708 Ebabicfn.exe 2244 Emggflfc.exe 2612 Ebdoocdk.exe 1284 Fdblkoco.exe 1752 Fnkpcd32.exe 2912 Fdehpn32.exe 2200 Fnmmidhm.exe 784 Fgeabi32.exe 1684 Fjdnne32.exe 968 Fclbgj32.exe 2092 Fnafdc32.exe 1776 Fpcblkje.exe 1340 Fmgcepio.exe -
Loads dropped DLL 64 IoCs
pid Process 2088 b758f4bc3f5ce0f0c16203e517c26d00N.exe 2088 b758f4bc3f5ce0f0c16203e517c26d00N.exe 2072 Jnjhjj32.exe 2072 Jnjhjj32.exe 2900 Jqhdfe32.exe 2900 Jqhdfe32.exe 2312 Jgbmco32.exe 2312 Jgbmco32.exe 2792 Kggfnoch.exe 2792 Kggfnoch.exe 2552 Keappgmg.exe 2552 Keappgmg.exe 2752 Kfaljjdj.exe 2752 Kfaljjdj.exe 1396 Ljcbcngi.exe 1396 Ljcbcngi.exe 2424 Lggbmbfc.exe 2424 Lggbmbfc.exe 2336 Lflonn32.exe 2336 Lflonn32.exe 2972 Ladpagin.exe 2972 Ladpagin.exe 2332 Mmkafhnb.exe 2332 Mmkafhnb.exe 460 Mpkjgckc.exe 460 Mpkjgckc.exe 2220 Mejoei32.exe 2220 Mejoei32.exe 1800 Noepdo32.exe 1800 Noepdo32.exe 1628 Nogmin32.exe 1628 Nogmin32.exe 2396 Nianjl32.exe 2396 Nianjl32.exe 2440 Nmogpj32.exe 2440 Nmogpj32.exe 3044 Nmacej32.exe 3044 Nmacej32.exe 2452 Oihdjk32.exe 2452 Oihdjk32.exe 2284 Oaciom32.exe 2284 Oaciom32.exe 1312 Onmfin32.exe 1312 Onmfin32.exe 1872 Ohbjgg32.exe 1872 Ohbjgg32.exe 692 Pcnhmdli.exe 692 Pcnhmdli.exe 1784 Pncljmko.exe 1784 Pncljmko.exe 584 Pmiikipg.exe 584 Pmiikipg.exe 2740 Aadakl32.exe 2740 Aadakl32.exe 2064 Ajmfca32.exe 2064 Ajmfca32.exe 2828 Ammoel32.exe 2828 Ammoel32.exe 2824 Bclqme32.exe 2824 Bclqme32.exe 2604 Bpbabf32.exe 2604 Bpbabf32.exe 2956 Bikfklni.exe 2956 Bikfklni.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fjdnne32.exe Fgeabi32.exe File opened for modification C:\Windows\SysWOW64\Nbaomf32.exe Mbobgfnf.exe File opened for modification C:\Windows\SysWOW64\Kemjieol.exe Kpqaanqd.exe File created C:\Windows\SysWOW64\Mqdbjp32.exe Lqbfdp32.exe File created C:\Windows\SysWOW64\Eodknifb.exe Eelfedpa.exe File opened for modification C:\Windows\SysWOW64\Fcgdjmlo.exe Feccqime.exe File opened for modification C:\Windows\SysWOW64\Klimcf32.exe Khkdmh32.exe File created C:\Windows\SysWOW64\Agchdfmk.exe Ankckagj.exe File created C:\Windows\SysWOW64\Cmkkpnfp.dll Iqpiepcn.exe File created C:\Windows\SysWOW64\Oaecdo32.dll Oiljcj32.exe File opened for modification C:\Windows\SysWOW64\Haggijgb.exe Hgobpd32.exe File created C:\Windows\SysWOW64\Faefoo32.dll Kphpdhdh.exe File created C:\Windows\SysWOW64\Ppogok32.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Fcbjon32.exe Eijffhjd.exe File created C:\Windows\SysWOW64\Okhjcncb.dll Gapoob32.exe File created C:\Windows\SysWOW64\Mjphkf32.dll Cligkdlm.exe File opened for modification C:\Windows\SysWOW64\Mhpigk32.exe Mogene32.exe File created C:\Windows\SysWOW64\Bocfch32.exe Bpnibl32.exe File created C:\Windows\SysWOW64\Oknckq32.dll Lihifhoq.exe File created C:\Windows\SysWOW64\Mnkfcjqe.exe Mganfp32.exe File opened for modification C:\Windows\SysWOW64\Dbmlal32.exe Dhggdcgh.exe File created C:\Windows\SysWOW64\Moonqphf.dll Nilpmo32.exe File opened for modification C:\Windows\SysWOW64\Mcpmonea.exe Lihifhoq.exe File created C:\Windows\SysWOW64\Gqaaok32.dll b758f4bc3f5ce0f0c16203e517c26d00N.exe File created C:\Windows\SysWOW64\Ijmfiefj.exe Inffdd32.exe File opened for modification C:\Windows\SysWOW64\Gapoob32.exe Geinjapb.exe File opened for modification C:\Windows\SysWOW64\Faljqcmk.exe Feeilbhg.exe File created C:\Windows\SysWOW64\Ognobcqo.exe Okgnna32.exe File created C:\Windows\SysWOW64\Kkooeblb.dll Qhbdmeoe.exe File created C:\Windows\SysWOW64\Nhmiqo32.dll Nkdpmn32.exe File created C:\Windows\SysWOW64\Hjfmdp32.dll Cdfief32.exe File opened for modification C:\Windows\SysWOW64\Dpbenpqh.exe Dbneekan.exe File opened for modification C:\Windows\SysWOW64\Cdgdlnop.exe Bhqdgm32.exe File created C:\Windows\SysWOW64\Jeenfd32.exe Iionacad.exe File created C:\Windows\SysWOW64\Jqhdfe32.exe Jnjhjj32.exe File created C:\Windows\SysWOW64\Moanhnka.dll Nmacej32.exe File created C:\Windows\SysWOW64\Afjdbifq.dll Mkplnp32.exe File created C:\Windows\SysWOW64\Fjfiqjch.dll Nanhihno.exe File opened for modification C:\Windows\SysWOW64\Eenabkfk.exe Eleliepj.exe File opened for modification C:\Windows\SysWOW64\Bgndnd32.exe Bnfodojp.exe File created C:\Windows\SysWOW64\Diklpn32.exe Dfjcncak.exe File opened for modification C:\Windows\SysWOW64\Ffoihepa.exe Fncddc32.exe File created C:\Windows\SysWOW64\Jpigjb32.dll Flpkll32.exe File created C:\Windows\SysWOW64\Dhggdcgh.exe Dplbpaim.exe File created C:\Windows\SysWOW64\Qhmomjib.dll Dendcg32.exe File created C:\Windows\SysWOW64\Iipnge32.dll Nehjmppo.exe File created C:\Windows\SysWOW64\Ilnqhddd.exe Icbldbgi.exe File created C:\Windows\SysWOW64\Njbfpe32.dll Mkbhco32.exe File opened for modification C:\Windows\SysWOW64\Aoihaa32.exe Abeghmmn.exe File opened for modification C:\Windows\SysWOW64\Egimdmmc.exe Emailhfb.exe File created C:\Windows\SysWOW64\Bkocic32.dll Jbbenlof.exe File created C:\Windows\SysWOW64\Knijji32.dll Mcpmonea.exe File created C:\Windows\SysWOW64\Nffpjfep.dll Iqnlpq32.exe File created C:\Windows\SysWOW64\Mganfp32.exe Magfjebk.exe File opened for modification C:\Windows\SysWOW64\Jkgelh32.exe Jaopcbga.exe File opened for modification C:\Windows\SysWOW64\Lcieef32.exe Lcfhpf32.exe File created C:\Windows\SysWOW64\Jelcgfbk.dll Gngdadoj.exe File created C:\Windows\SysWOW64\Iodlcnmf.exe Imepgbnc.exe File created C:\Windows\SysWOW64\Qechqj32.exe Plkchdiq.exe File opened for modification C:\Windows\SysWOW64\Meidib32.exe Mcghajkq.exe File created C:\Windows\SysWOW64\Ejbmjalg.dll Abeghmmn.exe File created C:\Windows\SysWOW64\Bfncbp32.exe Bcoffd32.exe File opened for modification C:\Windows\SysWOW64\Oiglfm32.exe Nqkgbkdj.exe File created C:\Windows\SysWOW64\Cjfjjd32.exe Ccmanjch.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3904 3708 WerFault.exe 693 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gindjqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behinlkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcipqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbfdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdaephpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joenaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkckdhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqiakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehjmppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqidme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeghmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kononm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llainlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbkaoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqmkflcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmmidhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdbab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqcnfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiekadkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmfiefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffddfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocdmccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knodnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdbjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdljghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjqpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgeabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnafdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfhpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahancp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikfklni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjmcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emggflfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggdfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lheilofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b758f4bc3f5ce0f0c16203e517c26d00N.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hemeod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcnhmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Defljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajoebigm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcmopepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfcqoqeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkbnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Ljfckodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midfibhi.dll" Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifikehii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkjdmqc.dll" Qechqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdjpmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjcfjoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmiikipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkimd32.dll" Anhdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjhbpic.dll" Adbmjbif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmdpcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebabicfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcahmfc.dll" Ekmjanpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenqenin.dll" Ceacoqfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdbab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aggkdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gemfghek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klimcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keappgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnkpcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jilkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicfkpch.dll" Llainlje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjblboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jalmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emnelbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ognobcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfcphnf.dll" Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmgcb32.dll" Kjdiigbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgdbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emggflfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbknmicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biahijec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foblaefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokogac.dll" Gjqfmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhbolin.dll" Jeblgodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alkpgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjlmh32.dll" Ifniaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqdbjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfjbfgk.dll" Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ognobcqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifniaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogohg32.dll" Elqcnfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaihe32.dll" Mkpieggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnhppoa.dll" Klgbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eenckc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2072 2088 b758f4bc3f5ce0f0c16203e517c26d00N.exe 30 PID 2088 wrote to memory of 2072 2088 b758f4bc3f5ce0f0c16203e517c26d00N.exe 30 PID 2088 wrote to memory of 2072 2088 b758f4bc3f5ce0f0c16203e517c26d00N.exe 30 PID 2088 wrote to memory of 2072 2088 b758f4bc3f5ce0f0c16203e517c26d00N.exe 30 PID 2072 wrote to memory of 2900 2072 Jnjhjj32.exe 31 PID 2072 wrote to memory of 2900 2072 Jnjhjj32.exe 31 PID 2072 wrote to memory of 2900 2072 Jnjhjj32.exe 31 PID 2072 wrote to memory of 2900 2072 Jnjhjj32.exe 31 PID 2900 wrote to memory of 2312 2900 Jqhdfe32.exe 32 PID 2900 wrote to memory of 2312 2900 Jqhdfe32.exe 32 PID 2900 wrote to memory of 2312 2900 Jqhdfe32.exe 32 PID 2900 wrote to memory of 2312 2900 Jqhdfe32.exe 32 PID 2312 wrote to memory of 2792 2312 Jgbmco32.exe 33 PID 2312 wrote to memory of 2792 2312 Jgbmco32.exe 33 PID 2312 wrote to memory of 2792 2312 Jgbmco32.exe 33 PID 2312 wrote to memory of 2792 2312 Jgbmco32.exe 33 PID 2792 wrote to memory of 2552 2792 Kggfnoch.exe 34 PID 2792 wrote to memory of 2552 2792 Kggfnoch.exe 34 PID 2792 wrote to memory of 2552 2792 Kggfnoch.exe 34 PID 2792 wrote to memory of 2552 2792 Kggfnoch.exe 34 PID 2552 wrote to memory of 2752 2552 Keappgmg.exe 35 PID 2552 wrote to memory of 2752 2552 Keappgmg.exe 35 PID 2552 wrote to memory of 2752 2552 Keappgmg.exe 35 PID 2552 wrote to memory of 2752 2552 Keappgmg.exe 35 PID 2752 wrote to memory of 1396 2752 Kfaljjdj.exe 36 PID 2752 wrote to memory of 1396 2752 Kfaljjdj.exe 36 PID 2752 wrote to memory of 1396 2752 Kfaljjdj.exe 36 PID 2752 wrote to memory of 1396 2752 Kfaljjdj.exe 36 PID 1396 wrote to memory of 2424 1396 Ljcbcngi.exe 37 PID 1396 wrote to memory of 2424 1396 Ljcbcngi.exe 37 PID 1396 wrote to memory of 2424 1396 Ljcbcngi.exe 37 PID 1396 wrote to memory of 2424 1396 Ljcbcngi.exe 37 PID 2424 wrote to memory of 2336 2424 Lggbmbfc.exe 38 PID 2424 wrote to memory of 2336 2424 Lggbmbfc.exe 38 PID 2424 wrote to memory of 2336 2424 Lggbmbfc.exe 38 PID 2424 wrote to memory of 2336 2424 Lggbmbfc.exe 38 PID 2336 wrote to memory of 2972 2336 Lflonn32.exe 39 PID 2336 wrote to memory of 2972 2336 Lflonn32.exe 39 PID 2336 wrote to memory of 2972 2336 Lflonn32.exe 39 PID 2336 wrote to memory of 2972 2336 Lflonn32.exe 39 PID 2972 wrote to memory of 2332 2972 Ladpagin.exe 40 PID 2972 wrote to memory of 2332 2972 Ladpagin.exe 40 PID 2972 wrote to memory of 2332 2972 Ladpagin.exe 40 PID 2972 wrote to memory of 2332 2972 Ladpagin.exe 40 PID 2332 wrote to memory of 460 2332 Mmkafhnb.exe 41 PID 2332 wrote to memory of 460 2332 Mmkafhnb.exe 41 PID 2332 wrote to memory of 460 2332 Mmkafhnb.exe 41 PID 2332 wrote to memory of 460 2332 Mmkafhnb.exe 41 PID 460 wrote to memory of 2220 460 Mpkjgckc.exe 42 PID 460 wrote to memory of 2220 460 Mpkjgckc.exe 42 PID 460 wrote to memory of 2220 460 Mpkjgckc.exe 42 PID 460 wrote to memory of 2220 460 Mpkjgckc.exe 42 PID 2220 wrote to memory of 1800 2220 Mejoei32.exe 43 PID 2220 wrote to memory of 1800 2220 Mejoei32.exe 43 PID 2220 wrote to memory of 1800 2220 Mejoei32.exe 43 PID 2220 wrote to memory of 1800 2220 Mejoei32.exe 43 PID 1800 wrote to memory of 1628 1800 Noepdo32.exe 44 PID 1800 wrote to memory of 1628 1800 Noepdo32.exe 44 PID 1800 wrote to memory of 1628 1800 Noepdo32.exe 44 PID 1800 wrote to memory of 1628 1800 Noepdo32.exe 44 PID 1628 wrote to memory of 2396 1628 Nogmin32.exe 45 PID 1628 wrote to memory of 2396 1628 Nogmin32.exe 45 PID 1628 wrote to memory of 2396 1628 Nogmin32.exe 45 PID 1628 wrote to memory of 2396 1628 Nogmin32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b758f4bc3f5ce0f0c16203e517c26d00N.exe"C:\Users\Admin\AppData\Local\Temp\b758f4bc3f5ce0f0c16203e517c26d00N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jgbmco32.exeC:\Windows\system32\Jgbmco32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Keappgmg.exeC:\Windows\system32\Keappgmg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Mmkafhnb.exeC:\Windows\system32\Mmkafhnb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Aadakl32.exeC:\Windows\system32\Aadakl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Ajmfca32.exeC:\Windows\system32\Ajmfca32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Bpbabf32.exeC:\Windows\system32\Bpbabf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe35⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe36⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe37⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe38⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe40⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe43⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe44⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe45⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Dnhgoa32.exeC:\Windows\system32\Dnhgoa32.exe46⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Elndpnnn.exeC:\Windows\system32\Elndpnnn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe49⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe50⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe51⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe52⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe61⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe62⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe64⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe65⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe66⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe67⤵PID:600
-
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe68⤵PID:1956
-
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe69⤵PID:1980
-
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe70⤵PID:1724
-
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe71⤵PID:2680
-
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe72⤵PID:2316
-
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe73⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe74⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe75⤵PID:1248
-
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe76⤵PID:816
-
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe77⤵PID:1592
-
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe78⤵PID:568
-
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe79⤵PID:2000
-
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe81⤵PID:1384
-
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe82⤵
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe83⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe84⤵PID:1952
-
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe85⤵PID:1936
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe86⤵PID:1660
-
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe88⤵PID:1960
-
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe89⤵PID:2664
-
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe90⤵PID:2884
-
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe91⤵PID:2692
-
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe92⤵PID:2588
-
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe93⤵PID:1744
-
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe94⤵PID:2356
-
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe95⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe96⤵PID:1216
-
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe99⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe100⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe101⤵PID:2932
-
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe102⤵PID:1864
-
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe103⤵PID:2660
-
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe104⤵PID:2728
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe105⤵PID:2584
-
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe106⤵PID:1692
-
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe107⤵PID:2420
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe108⤵PID:2536
-
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe109⤵PID:2056
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Noifmmec.exeC:\Windows\system32\Noifmmec.exe111⤵PID:1088
-
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe112⤵PID:2204
-
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe113⤵PID:2328
-
C:\Windows\SysWOW64\Nkbcgnie.exeC:\Windows\system32\Nkbcgnie.exe114⤵PID:3028
-
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe115⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe116⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe117⤵PID:1836
-
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe118⤵PID:2208
-
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe120⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe121⤵PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-