Analysis
-
max time kernel
40s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe
-
Size
80KB
-
MD5
7624d97aafadc8d449bab0997bab8fed
-
SHA1
b70d4bcb0e8629b3065825583032ef2a204fa2b6
-
SHA256
25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509
-
SHA512
5a34cd59292ad40900ae6f5d0b5a746b8a04a6ea02a226201aaef43eee543ee69295d2c0870bbdc6b0378a74d787d1c795c77b813bc90fe98fc9b0891c377be7
-
SSDEEP
1536:P7FHBWoerez7hGiPGntZcq9GcFjFCVN3EU8Z7/Rp62LcJ9VqDlzVxyh+CbxMa:T5BBrz7EiOntWqRjFCVN3EU8Z7/RpHcV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpjfkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaknmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeakonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abejlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neaehelb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knqnmeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfekbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipbidbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjjebed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpledf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfokb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkldli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhghgie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgbfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhebij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jficbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhlgoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafpipoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbijgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffmqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeajcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdlpnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohajic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbaebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqninhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogigpllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnoepam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkpob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemggm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgppana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbohmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgqokp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiichkog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjnkod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaolne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbaebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcahgjd.exe -
Executes dropped EXE 64 IoCs
pid Process 780 Kkpekjie.exe 276 Kbjmhd32.exe 2752 Kicednho.exe 2196 Knqnmeff.exe 2896 Kejfio32.exe 1136 Kldofi32.exe 2732 Knckbe32.exe 792 Kemcookp.exe 2408 Kgkokjjd.exe 1236 Ljjkgfig.exe 2464 Laccdp32.exe 2624 Lcbppk32.exe 548 Liohhbno.exe 1872 Lafpipoa.exe 1372 Lcdmekne.exe 2212 Ljnebe32.exe 2248 Llpajmkq.exe 2044 Lpkmkl32.exe 816 Lbijgg32.exe 2284 Lehfcc32.exe 672 Lpmjplag.exe 1784 Lblflgqk.exe 1992 Lejbhbpn.exe 908 Lppgfkpd.exe 2980 Mihkoa32.exe 2492 Mhkkjnmo.exe 748 Mkihfi32.exe 2928 Macpcccp.exe 2716 Mdbloobc.exe 2812 Mkldli32.exe 2564 Mmjqhd32.exe 2640 Mddidnqa.exe 1980 Mhpeem32.exe 2368 Mknaahhn.exe 1260 Mdfejn32.exe 2900 Mkqnghfk.exe 1140 Mmojcceo.exe 2884 Majfcb32.exe 1248 Mdibpn32.exe 1408 Mclbkjcf.exe 1536 Mggoli32.exe 2268 Ndkoemji.exe 2208 Ngikaijm.exe 2020 Nlfdjphd.exe 1528 Npbpjn32.exe 312 Nglhghgj.exe 1852 Nijdcdgn.exe 1344 Nliqoofa.exe 1964 Npdlpnnj.exe 1936 Neaehelb.exe 352 Nimaic32.exe 2940 Nlkmeo32.exe 2688 Nknmplji.exe 2728 Nceeaikk.exe 1960 Nahemf32.exe 3064 Ndfbia32.exe 2468 Nlmjjo32.exe 1948 Nkpjfkhf.exe 3000 Nolffjap.exe 376 Najbbepc.exe 2956 Nefncd32.exe 616 Ndhooaog.exe 2892 Ohdkop32.exe 2996 Okbgkk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe 2300 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe 780 Kkpekjie.exe 780 Kkpekjie.exe 276 Kbjmhd32.exe 276 Kbjmhd32.exe 2752 Kicednho.exe 2752 Kicednho.exe 2196 Knqnmeff.exe 2196 Knqnmeff.exe 2896 Kejfio32.exe 2896 Kejfio32.exe 1136 Kldofi32.exe 1136 Kldofi32.exe 2732 Knckbe32.exe 2732 Knckbe32.exe 792 Kemcookp.exe 792 Kemcookp.exe 2408 Kgkokjjd.exe 2408 Kgkokjjd.exe 1236 Ljjkgfig.exe 1236 Ljjkgfig.exe 2464 Laccdp32.exe 2464 Laccdp32.exe 2624 Lcbppk32.exe 2624 Lcbppk32.exe 548 Liohhbno.exe 548 Liohhbno.exe 1872 Lafpipoa.exe 1872 Lafpipoa.exe 1372 Lcdmekne.exe 1372 Lcdmekne.exe 2212 Ljnebe32.exe 2212 Ljnebe32.exe 2248 Llpajmkq.exe 2248 Llpajmkq.exe 2044 Lpkmkl32.exe 2044 Lpkmkl32.exe 816 Lbijgg32.exe 816 Lbijgg32.exe 2284 Lehfcc32.exe 2284 Lehfcc32.exe 672 Lpmjplag.exe 672 Lpmjplag.exe 1784 Lblflgqk.exe 1784 Lblflgqk.exe 1992 Lejbhbpn.exe 1992 Lejbhbpn.exe 908 Lppgfkpd.exe 908 Lppgfkpd.exe 2980 Mihkoa32.exe 2980 Mihkoa32.exe 2492 Mhkkjnmo.exe 2492 Mhkkjnmo.exe 748 Mkihfi32.exe 748 Mkihfi32.exe 2928 Macpcccp.exe 2928 Macpcccp.exe 2716 Mdbloobc.exe 2716 Mdbloobc.exe 2812 Mkldli32.exe 2812 Mkldli32.exe 2564 Mmjqhd32.exe 2564 Mmjqhd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lafgagdb.dll Nolffjap.exe File created C:\Windows\SysWOW64\Pgkqeo32.exe Pemdic32.exe File opened for modification C:\Windows\SysWOW64\Dpnmoe32.exe Dnoqbi32.exe File created C:\Windows\SysWOW64\Iphfcnka.dll Fqdong32.exe File opened for modification C:\Windows\SysWOW64\Gjomlp32.exe Ghqqpd32.exe File created C:\Windows\SysWOW64\Debmplbf.dll Gjomlp32.exe File created C:\Windows\SysWOW64\Mdbloobc.exe Macpcccp.exe File opened for modification C:\Windows\SysWOW64\Algida32.exe Amdhidqk.exe File opened for modification C:\Windows\SysWOW64\Bdpjjaiq.exe Bpdnjb32.exe File created C:\Windows\SysWOW64\Akdadd32.dll Cehlbihg.exe File created C:\Windows\SysWOW64\Hpckee32.exe Hmdohj32.exe File created C:\Windows\SysWOW64\Ajdoni32.dll Hidjml32.exe File opened for modification C:\Windows\SysWOW64\Clbdobpc.exe Cidhcg32.exe File created C:\Windows\SysWOW64\Lpqamg32.dll Egedebgc.exe File created C:\Windows\SysWOW64\Iceohloo.dll Fidmniqa.exe File opened for modification C:\Windows\SysWOW64\Gdchifik.exe Gadkmj32.exe File opened for modification C:\Windows\SysWOW64\Ghqqpd32.exe Gdedoegh.exe File opened for modification C:\Windows\SysWOW64\Ippkni32.exe Iankbldh.exe File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Gaghcjhd.exe File created C:\Windows\SysWOW64\Ngikaijm.exe Ndkoemji.exe File created C:\Windows\SysWOW64\Nknmplji.exe Nlkmeo32.exe File created C:\Windows\SysWOW64\Dhiacg32.exe Djfagjai.exe File created C:\Windows\SysWOW64\Fbjeao32.exe Fpliec32.exe File created C:\Windows\SysWOW64\Blplkp32.exe Befcne32.exe File created C:\Windows\SysWOW64\Fqdong32.exe Fmicnhob.exe File created C:\Windows\SysWOW64\Gncblo32.exe Glefpd32.exe File opened for modification C:\Windows\SysWOW64\Iedmhlqf.exe Hbfalpab.exe File opened for modification C:\Windows\SysWOW64\Dnmdmj32.exe Dkohanoc.exe File created C:\Windows\SysWOW64\Obhblkpa.dll Dfhial32.exe File created C:\Windows\SysWOW64\Ejbmpe32.dll Ipedihgm.exe File opened for modification C:\Windows\SysWOW64\Laccdp32.exe Ljjkgfig.exe File created C:\Windows\SysWOW64\Aamhdckg.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Apeakonl.exe Amfeodoh.exe File created C:\Windows\SysWOW64\Ikfbai32.dll Aeajcf32.exe File created C:\Windows\SysWOW64\Edffndco.dll Nefncd32.exe File created C:\Windows\SysWOW64\Nkafoflh.dll Gdchifik.exe File created C:\Windows\SysWOW64\Gpledf32.exe Gaiehjfb.exe File opened for modification C:\Windows\SysWOW64\Gjjcqpbj.exe Glgcec32.exe File opened for modification C:\Windows\SysWOW64\Hljljflh.exe Hikpnkme.exe File created C:\Windows\SysWOW64\Gcdmgnjh.dll Alnoepam.exe File created C:\Windows\SysWOW64\Dpdoea32.dll Bpdnjb32.exe File created C:\Windows\SysWOW64\Edghighp.exe Ebhlmlhl.exe File opened for modification C:\Windows\SysWOW64\Fpnekc32.exe Fhgnie32.exe File created C:\Windows\SysWOW64\Dbaflm32.exe Docjpa32.exe File opened for modification C:\Windows\SysWOW64\Fglkeaqk.exe Fcqoec32.exe File opened for modification C:\Windows\SysWOW64\Fefdhj32.exe Fbhhlo32.exe File created C:\Windows\SysWOW64\Hfjglppd.exe Hpqoofhg.exe File opened for modification C:\Windows\SysWOW64\Npdlpnnj.exe Nliqoofa.exe File opened for modification C:\Windows\SysWOW64\Cdpfiekl.exe Caajmilh.exe File created C:\Windows\SysWOW64\Kmggfmjg.dll Dpggnfap.exe File created C:\Windows\SysWOW64\Dpkpie32.exe Dnmdmj32.exe File created C:\Windows\SysWOW64\Jnjbig32.dll Ioonfaed.exe File created C:\Windows\SysWOW64\Apddce32.dll Ekjjebed.exe File opened for modification C:\Windows\SysWOW64\Gmipmlan.exe Gjjcqpbj.exe File created C:\Windows\SysWOW64\Maedlmdn.dll Hpnbjfjj.exe File created C:\Windows\SysWOW64\Jookedhp.exe Jkcoee32.exe File created C:\Windows\SysWOW64\Pfgfna32.dll Nglhghgj.exe File created C:\Windows\SysWOW64\Peoanckj.exe Pbaebh32.exe File created C:\Windows\SysWOW64\Dhadgbpa.dll Amdhidqk.exe File created C:\Windows\SysWOW64\Caomgjnk.exe Coqaknog.exe File opened for modification C:\Windows\SysWOW64\Ejfnfn32.exe Ekcmkamj.exe File created C:\Windows\SysWOW64\Ikfokb32.exe Igjckcbo.exe File opened for modification C:\Windows\SysWOW64\Hidjml32.exe Gffmqq32.exe File opened for modification C:\Windows\SysWOW64\Hpqoofhg.exe Hlebog32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4512 4488 WerFault.exe 385 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhnoocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclbkjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnmjokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdhidqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihefjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmicnhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidmniqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqoofhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliqoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgclpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjjih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolffjap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklfqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbcjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqmddah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjcqpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpledf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jomnpdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhcgjkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeakonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjlpclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpjfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklgjbca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gffmqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjqhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbekmpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmfamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdlidjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilneef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikemiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblflgqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemnml32.dll" Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhiqhdca.dll" Onhihepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclfmph.dll" Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fggodo32.dll" Cefpmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imoqbo32.dll" Afojgiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlebog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcedjdom.dll" Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgcnepe.dll" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkohanoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefdhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abejlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikfmama.dll" Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkaonifh.dll" Fibqhibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckajclq.dll" Knqnmeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollkojil.dll" Laccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgbhe32.dll" Bmahbhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abehhc32.dll" Aamhdckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdpkopc.dll" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioonfaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebmaoed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpodaao.dll" Boohgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbekmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpcoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qklfqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedmhlqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfdjphd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdnkj32.dll" Dnoqbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhadgbpa.dll" Amdhidqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blplkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbjb32.dll" Dpkpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmil32.dll" Dgehfodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqpilkc.dll" Idqpjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpknep32.dll" Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgkqeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajhpb32.dll" Liohhbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laamkikl.dll" Iomaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epempm32.dll" Lcbppk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclilliq.dll" Aifpcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifeam32.dll" Bmfamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gekncjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplogk32.dll" Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbajq32.dll" Lehfcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdlidjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnbjfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oamohenq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 780 2300 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe 29 PID 2300 wrote to memory of 780 2300 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe 29 PID 2300 wrote to memory of 780 2300 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe 29 PID 2300 wrote to memory of 780 2300 25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe 29 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 276 wrote to memory of 2752 276 Kbjmhd32.exe 31 PID 276 wrote to memory of 2752 276 Kbjmhd32.exe 31 PID 276 wrote to memory of 2752 276 Kbjmhd32.exe 31 PID 276 wrote to memory of 2752 276 Kbjmhd32.exe 31 PID 2752 wrote to memory of 2196 2752 Kicednho.exe 32 PID 2752 wrote to memory of 2196 2752 Kicednho.exe 32 PID 2752 wrote to memory of 2196 2752 Kicednho.exe 32 PID 2752 wrote to memory of 2196 2752 Kicednho.exe 32 PID 2196 wrote to memory of 2896 2196 Knqnmeff.exe 33 PID 2196 wrote to memory of 2896 2196 Knqnmeff.exe 33 PID 2196 wrote to memory of 2896 2196 Knqnmeff.exe 33 PID 2196 wrote to memory of 2896 2196 Knqnmeff.exe 33 PID 2896 wrote to memory of 1136 2896 Kejfio32.exe 34 PID 2896 wrote to memory of 1136 2896 Kejfio32.exe 34 PID 2896 wrote to memory of 1136 2896 Kejfio32.exe 34 PID 2896 wrote to memory of 1136 2896 Kejfio32.exe 34 PID 1136 wrote to memory of 2732 1136 Kldofi32.exe 35 PID 1136 wrote to memory of 2732 1136 Kldofi32.exe 35 PID 1136 wrote to memory of 2732 1136 Kldofi32.exe 35 PID 1136 wrote to memory of 2732 1136 Kldofi32.exe 35 PID 2732 wrote to memory of 792 2732 Knckbe32.exe 36 PID 2732 wrote to memory of 792 2732 Knckbe32.exe 36 PID 2732 wrote to memory of 792 2732 Knckbe32.exe 36 PID 2732 wrote to memory of 792 2732 Knckbe32.exe 36 PID 792 wrote to memory of 2408 792 Kemcookp.exe 37 PID 792 wrote to memory of 2408 792 Kemcookp.exe 37 PID 792 wrote to memory of 2408 792 Kemcookp.exe 37 PID 792 wrote to memory of 2408 792 Kemcookp.exe 37 PID 2408 wrote to memory of 1236 2408 Kgkokjjd.exe 38 PID 2408 wrote to memory of 1236 2408 Kgkokjjd.exe 38 PID 2408 wrote to memory of 1236 2408 Kgkokjjd.exe 38 PID 2408 wrote to memory of 1236 2408 Kgkokjjd.exe 38 PID 1236 wrote to memory of 2464 1236 Ljjkgfig.exe 39 PID 1236 wrote to memory of 2464 1236 Ljjkgfig.exe 39 PID 1236 wrote to memory of 2464 1236 Ljjkgfig.exe 39 PID 1236 wrote to memory of 2464 1236 Ljjkgfig.exe 39 PID 2464 wrote to memory of 2624 2464 Laccdp32.exe 40 PID 2464 wrote to memory of 2624 2464 Laccdp32.exe 40 PID 2464 wrote to memory of 2624 2464 Laccdp32.exe 40 PID 2464 wrote to memory of 2624 2464 Laccdp32.exe 40 PID 2624 wrote to memory of 548 2624 Lcbppk32.exe 41 PID 2624 wrote to memory of 548 2624 Lcbppk32.exe 41 PID 2624 wrote to memory of 548 2624 Lcbppk32.exe 41 PID 2624 wrote to memory of 548 2624 Lcbppk32.exe 41 PID 548 wrote to memory of 1872 548 Liohhbno.exe 42 PID 548 wrote to memory of 1872 548 Liohhbno.exe 42 PID 548 wrote to memory of 1872 548 Liohhbno.exe 42 PID 548 wrote to memory of 1872 548 Liohhbno.exe 42 PID 1872 wrote to memory of 1372 1872 Lafpipoa.exe 43 PID 1872 wrote to memory of 1372 1872 Lafpipoa.exe 43 PID 1872 wrote to memory of 1372 1872 Lafpipoa.exe 43 PID 1872 wrote to memory of 1372 1872 Lafpipoa.exe 43 PID 1372 wrote to memory of 2212 1372 Lcdmekne.exe 44 PID 1372 wrote to memory of 2212 1372 Lcdmekne.exe 44 PID 1372 wrote to memory of 2212 1372 Lcdmekne.exe 44 PID 1372 wrote to memory of 2212 1372 Lcdmekne.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe"C:\Users\Admin\AppData\Local\Temp\25a3bae12eb017a9beebc37e52060300a04a7e0e5f4f89ebecd570c6d0496509.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Lpkmkl32.exeC:\Windows\system32\Lpkmkl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Lehfcc32.exeC:\Windows\system32\Lehfcc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Mhkkjnmo.exeC:\Windows\system32\Mhkkjnmo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Mdbloobc.exeC:\Windows\system32\Mdbloobc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe33⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Mhpeem32.exeC:\Windows\system32\Mhpeem32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe35⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe39⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe40⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe42⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe44⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:312 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe48⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe52⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe54⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe56⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe61⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe63⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe64⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe65⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe66⤵PID:2124
-
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe67⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe68⤵PID:1216
-
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe70⤵PID:2776
-
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe72⤵PID:2676
-
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe73⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe74⤵PID:2188
-
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe76⤵PID:2872
-
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe77⤵PID:3052
-
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe78⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe79⤵PID:2148
-
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe80⤵PID:2544
-
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe83⤵PID:1744
-
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe84⤵PID:2108
-
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe86⤵PID:2720
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe87⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe89⤵PID:1572
-
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe92⤵PID:1240
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe93⤵PID:2400
-
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe94⤵PID:988
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe97⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe98⤵PID:2784
-
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe100⤵PID:2816
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe101⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe102⤵PID:2104
-
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe104⤵PID:3060
-
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe105⤵PID:1116
-
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe107⤵PID:1504
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe108⤵PID:1956
-
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1032 -
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe110⤵PID:2336
-
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe111⤵PID:2848
-
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe112⤵PID:2924
-
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe113⤵
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe115⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe119⤵PID:2488
-
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Aikine32.exeC:\Windows\system32\Aikine32.exe121⤵PID:1708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-