Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 10:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7b078a8f1b7f783a262318c6eb411770N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7b078a8f1b7f783a262318c6eb411770N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
7b078a8f1b7f783a262318c6eb411770N.exe
-
Size
55KB
-
MD5
7b078a8f1b7f783a262318c6eb411770
-
SHA1
4445d17157864c80ac8e1035db05ae4ad0d2c3f8
-
SHA256
e7a51a613d3bff841a2420645ac3aede4be22500d5ea898f189ac98dba4d07d2
-
SHA512
5033a03b06ede9403bfcbeb97927082fc55ad6536a35afdfdbe21ae219ed7b99f3192870c8581f58115b9520bbf1eb24af33ed683a71d5fc9a41373903ddf851
-
SSDEEP
768:k6D7/lo98qgTo8oyWIwyudDaZET6ASx1fuA0rMK89R3hPOAPeIj5L2p/1H5AGXdh:v7to+508rhLuXqx8rrc9R30Se22L5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iediin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncnmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnfpifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefbnacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplfkjbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjefamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njnmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjihmmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injqmdki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdjaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblelb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehcij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljigih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjifjdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7b078a8f1b7f783a262318c6eb411770N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmdapml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihjolae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllqplnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponklpcg.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Lkdjglfo.exe 2008 Lopfhk32.exe 2712 Lpabpcdf.exe 2664 Ljigih32.exe 2628 Laqojfli.exe 1280 Lpcoeb32.exe 2220 Lcblan32.exe 1648 Lgngbmjp.exe 2060 Ljldnhid.exe 2764 Lljpjchg.exe 324 Ldahkaij.exe 1708 Lcdhgn32.exe 1028 Lfbdci32.exe 2188 Lnjldf32.exe 2332 Llmmpcfe.exe 1076 Mokilo32.exe 2168 Mcfemmna.exe 952 Mgbaml32.exe 908 Mjqmig32.exe 1740 Mhcmedli.exe 1780 Mloiec32.exe 2300 Mqjefamk.exe 1360 Momfan32.exe 1048 Mblbnj32.exe 2236 Mfgnnhkc.exe 2260 Mjcjog32.exe 2884 Mlafkb32.exe 2556 Mcknhm32.exe 2572 Mfjkdh32.exe 2720 Mdmkoepk.exe 2276 Mmccqbpm.exe 1356 Mneohj32.exe 1660 Mflgih32.exe 1240 Mhjcec32.exe 2856 Mgmdapml.exe 592 Modlbmmn.exe 1376 Mnglnj32.exe 1600 Mqehjecl.exe 1132 Mimpkcdn.exe 1932 Nkkmgncb.exe 2352 Njnmbk32.exe 1720 Nbeedh32.exe 2456 Ndcapd32.exe 1728 Ngbmlo32.exe 2476 Njpihk32.exe 2252 Nmofdf32.exe 1528 Ngdjaofc.exe 2916 Nfgjml32.exe 2716 Nnnbni32.exe 2872 Nqmnjd32.exe 2564 Nppofado.exe 1588 Nggggoda.exe 2592 Nfigck32.exe 1304 Nihcog32.exe 804 Nmcopebh.exe 2924 Nqokpd32.exe 2600 Npbklabl.exe 1768 Nbpghl32.exe 1684 Nflchkii.exe 2064 Njgpij32.exe 664 Nijpdfhm.exe 1980 Nmflee32.exe 1508 Nlilqbgp.exe 1820 Npdhaq32.exe -
Loads dropped DLL 64 IoCs
pid Process 2212 7b078a8f1b7f783a262318c6eb411770N.exe 2212 7b078a8f1b7f783a262318c6eb411770N.exe 2700 Lkdjglfo.exe 2700 Lkdjglfo.exe 2008 Lopfhk32.exe 2008 Lopfhk32.exe 2712 Lpabpcdf.exe 2712 Lpabpcdf.exe 2664 Ljigih32.exe 2664 Ljigih32.exe 2628 Laqojfli.exe 2628 Laqojfli.exe 1280 Lpcoeb32.exe 1280 Lpcoeb32.exe 2220 Lcblan32.exe 2220 Lcblan32.exe 1648 Lgngbmjp.exe 1648 Lgngbmjp.exe 2060 Ljldnhid.exe 2060 Ljldnhid.exe 2764 Lljpjchg.exe 2764 Lljpjchg.exe 324 Ldahkaij.exe 324 Ldahkaij.exe 1708 Lcdhgn32.exe 1708 Lcdhgn32.exe 1028 Lfbdci32.exe 1028 Lfbdci32.exe 2188 Lnjldf32.exe 2188 Lnjldf32.exe 2332 Llmmpcfe.exe 2332 Llmmpcfe.exe 1076 Mokilo32.exe 1076 Mokilo32.exe 2168 Mcfemmna.exe 2168 Mcfemmna.exe 952 Mgbaml32.exe 952 Mgbaml32.exe 908 Mjqmig32.exe 908 Mjqmig32.exe 1740 Mhcmedli.exe 1740 Mhcmedli.exe 1780 Mloiec32.exe 1780 Mloiec32.exe 2300 Mqjefamk.exe 2300 Mqjefamk.exe 1360 Momfan32.exe 1360 Momfan32.exe 1048 Mblbnj32.exe 1048 Mblbnj32.exe 2236 Mfgnnhkc.exe 2236 Mfgnnhkc.exe 2260 Mjcjog32.exe 2260 Mjcjog32.exe 2884 Mlafkb32.exe 2884 Mlafkb32.exe 2556 Mcknhm32.exe 2556 Mcknhm32.exe 2572 Mfjkdh32.exe 2572 Mfjkdh32.exe 2720 Mdmkoepk.exe 2720 Mdmkoepk.exe 2276 Mmccqbpm.exe 2276 Mmccqbpm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndcapd32.exe Nbeedh32.exe File opened for modification C:\Windows\SysWOW64\Emoldlmc.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Eafkhn32.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Ioljnm32.dll Mqjefamk.exe File created C:\Windows\SysWOW64\Pecikhmn.dll Njpihk32.exe File created C:\Windows\SysWOW64\Pmmneg32.exe Piabdiep.exe File created C:\Windows\SysWOW64\Qaapcj32.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Ghanagbo.dll Mcfemmna.exe File created C:\Windows\SysWOW64\Meoaif32.dll Opialpld.exe File created C:\Windows\SysWOW64\Lffkcfke.dll Oaogognm.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Agglbp32.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Hdpcokdo.exe File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Hqnjek32.exe File opened for modification C:\Windows\SysWOW64\Oefjdgjk.exe Oajndh32.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Oefjdgjk.exe File created C:\Windows\SysWOW64\Qaacem32.dll Ppfafcpb.exe File opened for modification C:\Windows\SysWOW64\Ajckilei.exe Akpkmo32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Llmmpcfe.exe Lnjldf32.exe File created C:\Windows\SysWOW64\Oflpgnld.exe Ohipla32.exe File opened for modification C:\Windows\SysWOW64\Gkgoff32.exe Gglbfg32.exe File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe Hcjilgdb.exe File opened for modification C:\Windows\SysWOW64\Hbofmcij.exe Hoqjqhjf.exe File created C:\Windows\SysWOW64\Lnjldf32.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Pmehdh32.exe Pnchhllf.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Kbmome32.exe File created C:\Windows\SysWOW64\Cmhjdiap.exe Cnejim32.exe File created C:\Windows\SysWOW64\Njgpij32.exe Nflchkii.exe File created C:\Windows\SysWOW64\Fpnehm32.dll Bacihmoo.exe File opened for modification C:\Windows\SysWOW64\Fooembgb.exe Fhdmph32.exe File created C:\Windows\SysWOW64\Nihcog32.exe Nfigck32.exe File opened for modification C:\Windows\SysWOW64\Dafoikjb.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Ffdmihcc.dll Inhdgdmk.exe File opened for modification C:\Windows\SysWOW64\Inmmbc32.exe Iknafhjb.exe File created C:\Windows\SysWOW64\Jmdgipkk.exe Jjfkmdlg.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jmdgipkk.exe File created C:\Windows\SysWOW64\Jagcgk32.dll Mjcjog32.exe File created C:\Windows\SysWOW64\Olbogqoe.exe Ohfcfb32.exe File opened for modification C:\Windows\SysWOW64\Cmhjdiap.exe Cnejim32.exe File created C:\Windows\SysWOW64\Dlifadkk.exe Deondj32.exe File created C:\Windows\SysWOW64\Dokggo32.dll Ehnfpifm.exe File opened for modification C:\Windows\SysWOW64\Laqojfli.exe Ljigih32.exe File created C:\Windows\SysWOW64\Pblmdj32.dll Gcjmmdbf.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Lgjdnbkd.dll Jjfkmdlg.exe File created C:\Windows\SysWOW64\Mbbhfl32.dll Kageia32.exe File created C:\Windows\SysWOW64\Klcjnl32.dll Olmela32.exe File opened for modification C:\Windows\SysWOW64\Dcdkef32.exe Dafoikjb.exe File created C:\Windows\SysWOW64\Alddjg32.exe Anadojlo.exe File created C:\Windows\SysWOW64\Fdgdji32.exe Fbegbacp.exe File created C:\Windows\SysWOW64\Famaimfe.exe Fooembgb.exe File created C:\Windows\SysWOW64\Mfgnnhkc.exe Mblbnj32.exe File opened for modification C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File created C:\Windows\SysWOW64\Mjqmig32.exe Mgbaml32.exe File opened for modification C:\Windows\SysWOW64\Fpdkpiik.exe Fmfocnjg.exe File created C:\Windows\SysWOW64\Hoqjqhjf.exe Hqnjek32.exe File created C:\Windows\SysWOW64\Mloiec32.exe Mhcmedli.exe File created C:\Windows\SysWOW64\Lkfhfpel.dll Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Lljpjchg.exe Ljldnhid.exe File created C:\Windows\SysWOW64\Onlahm32.exe Opialpld.exe File created C:\Windows\SysWOW64\Njjhknaf.dll Onqkclni.exe File created C:\Windows\SysWOW64\Eikfdl32.exe Efljhq32.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kkojbf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4528 4488 WerFault.exe 381 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhjdiap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdkjmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljldnhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfigck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjdpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblbnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjohmbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcngenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggggoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmma32.dll" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpjoahj.dll" Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll" Hgeelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkddnqcm.dll" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppfafcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oefjdgjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hffibceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgjdnbkd.dll" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll" Hgciff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqojfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecikhmn.dll" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcfmngo.dll" Nqmnjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijpdfhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkkmgncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhebfck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplfkjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhbje32.dll" Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljldnhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkknac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmbnqfg.dll" Fppaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiafee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejlnmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmhjdiap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fakdcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iediin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll" Jmkmjoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injqmdki.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2700 2212 7b078a8f1b7f783a262318c6eb411770N.exe 30 PID 2212 wrote to memory of 2700 2212 7b078a8f1b7f783a262318c6eb411770N.exe 30 PID 2212 wrote to memory of 2700 2212 7b078a8f1b7f783a262318c6eb411770N.exe 30 PID 2212 wrote to memory of 2700 2212 7b078a8f1b7f783a262318c6eb411770N.exe 30 PID 2700 wrote to memory of 2008 2700 Lkdjglfo.exe 31 PID 2700 wrote to memory of 2008 2700 Lkdjglfo.exe 31 PID 2700 wrote to memory of 2008 2700 Lkdjglfo.exe 31 PID 2700 wrote to memory of 2008 2700 Lkdjglfo.exe 31 PID 2008 wrote to memory of 2712 2008 Lopfhk32.exe 32 PID 2008 wrote to memory of 2712 2008 Lopfhk32.exe 32 PID 2008 wrote to memory of 2712 2008 Lopfhk32.exe 32 PID 2008 wrote to memory of 2712 2008 Lopfhk32.exe 32 PID 2712 wrote to memory of 2664 2712 Lpabpcdf.exe 33 PID 2712 wrote to memory of 2664 2712 Lpabpcdf.exe 33 PID 2712 wrote to memory of 2664 2712 Lpabpcdf.exe 33 PID 2712 wrote to memory of 2664 2712 Lpabpcdf.exe 33 PID 2664 wrote to memory of 2628 2664 Ljigih32.exe 34 PID 2664 wrote to memory of 2628 2664 Ljigih32.exe 34 PID 2664 wrote to memory of 2628 2664 Ljigih32.exe 34 PID 2664 wrote to memory of 2628 2664 Ljigih32.exe 34 PID 2628 wrote to memory of 1280 2628 Laqojfli.exe 35 PID 2628 wrote to memory of 1280 2628 Laqojfli.exe 35 PID 2628 wrote to memory of 1280 2628 Laqojfli.exe 35 PID 2628 wrote to memory of 1280 2628 Laqojfli.exe 35 PID 1280 wrote to memory of 2220 1280 Lpcoeb32.exe 36 PID 1280 wrote to memory of 2220 1280 Lpcoeb32.exe 36 PID 1280 wrote to memory of 2220 1280 Lpcoeb32.exe 36 PID 1280 wrote to memory of 2220 1280 Lpcoeb32.exe 36 PID 2220 wrote to memory of 1648 2220 Lcblan32.exe 37 PID 2220 wrote to memory of 1648 2220 Lcblan32.exe 37 PID 2220 wrote to memory of 1648 2220 Lcblan32.exe 37 PID 2220 wrote to memory of 1648 2220 Lcblan32.exe 37 PID 1648 wrote to memory of 2060 1648 Lgngbmjp.exe 38 PID 1648 wrote to memory of 2060 1648 Lgngbmjp.exe 38 PID 1648 wrote to memory of 2060 1648 Lgngbmjp.exe 38 PID 1648 wrote to memory of 2060 1648 Lgngbmjp.exe 38 PID 2060 wrote to memory of 2764 2060 Ljldnhid.exe 39 PID 2060 wrote to memory of 2764 2060 Ljldnhid.exe 39 PID 2060 wrote to memory of 2764 2060 Ljldnhid.exe 39 PID 2060 wrote to memory of 2764 2060 Ljldnhid.exe 39 PID 2764 wrote to memory of 324 2764 Lljpjchg.exe 40 PID 2764 wrote to memory of 324 2764 Lljpjchg.exe 40 PID 2764 wrote to memory of 324 2764 Lljpjchg.exe 40 PID 2764 wrote to memory of 324 2764 Lljpjchg.exe 40 PID 324 wrote to memory of 1708 324 Ldahkaij.exe 41 PID 324 wrote to memory of 1708 324 Ldahkaij.exe 41 PID 324 wrote to memory of 1708 324 Ldahkaij.exe 41 PID 324 wrote to memory of 1708 324 Ldahkaij.exe 41 PID 1708 wrote to memory of 1028 1708 Lcdhgn32.exe 42 PID 1708 wrote to memory of 1028 1708 Lcdhgn32.exe 42 PID 1708 wrote to memory of 1028 1708 Lcdhgn32.exe 42 PID 1708 wrote to memory of 1028 1708 Lcdhgn32.exe 42 PID 1028 wrote to memory of 2188 1028 Lfbdci32.exe 43 PID 1028 wrote to memory of 2188 1028 Lfbdci32.exe 43 PID 1028 wrote to memory of 2188 1028 Lfbdci32.exe 43 PID 1028 wrote to memory of 2188 1028 Lfbdci32.exe 43 PID 2188 wrote to memory of 2332 2188 Lnjldf32.exe 44 PID 2188 wrote to memory of 2332 2188 Lnjldf32.exe 44 PID 2188 wrote to memory of 2332 2188 Lnjldf32.exe 44 PID 2188 wrote to memory of 2332 2188 Lnjldf32.exe 44 PID 2332 wrote to memory of 1076 2332 Llmmpcfe.exe 45 PID 2332 wrote to memory of 1076 2332 Llmmpcfe.exe 45 PID 2332 wrote to memory of 1076 2332 Llmmpcfe.exe 45 PID 2332 wrote to memory of 1076 2332 Llmmpcfe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b078a8f1b7f783a262318c6eb411770N.exe"C:\Users\Admin\AppData\Local\Temp\7b078a8f1b7f783a262318c6eb411770N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe33⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe34⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe37⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe40⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe45⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe49⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe50⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe52⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe56⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe61⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe63⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe64⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe65⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe66⤵PID:272
-
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe67⤵PID:3036
-
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe68⤵PID:3068
-
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe69⤵PID:2096
-
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe70⤵PID:2384
-
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe73⤵PID:1704
-
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe74⤵PID:3012
-
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe75⤵PID:1968
-
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe76⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe78⤵PID:2472
-
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe82⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe83⤵PID:2496
-
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe84⤵PID:1380
-
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe85⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe86⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe87⤵PID:1748
-
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe88⤵PID:2844
-
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe89⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe90⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe92⤵PID:2756
-
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe93⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe94⤵PID:2744
-
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe95⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe96⤵PID:2776
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe98⤵PID:2196
-
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe101⤵PID:1444
-
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe103⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe105⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe106⤵PID:1596
-
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe107⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe108⤵PID:2576
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe109⤵PID:1952
-
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe110⤵PID:2824
-
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe111⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe112⤵PID:2028
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe114⤵PID:2100
-
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe115⤵PID:2092
-
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe116⤵PID:2608
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe118⤵PID:3052
-
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe119⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-