Analysis
-
max time kernel
37s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 14:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80400ba28ecd0ee09e9b5c661480d230N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
80400ba28ecd0ee09e9b5c661480d230N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
80400ba28ecd0ee09e9b5c661480d230N.exe
-
Size
89KB
-
MD5
80400ba28ecd0ee09e9b5c661480d230
-
SHA1
6c8881e0f576a46c2e1a708865fa9cf12b09f5ba
-
SHA256
ffe0843a12b632577b9248d1f4e9bca7156f9b72215ae2292bbbc6600a5410fa
-
SHA512
368ef5eb2d829443b3d2ee747e6590a5d73948ca1e536726a1bae06be746f8d103b47b5545fa889b78d64dd41d1493d1de0c0cfccc0fd568d2fd503a0f73376f
-
SSDEEP
1536:+Hs37wSXDp7igH1OGbHfppfTg5yevfVdaQicGZlExkg8F:aq7rDliglb/ppM57vbaQicUlakgw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idgglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mggabaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnnai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhejkcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adlcfjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppnnai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jampjian.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqpflg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpigma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe -
Executes dropped EXE 64 IoCs
pid Process 2160 Hfjpdjjo.exe 2032 Hmdhad32.exe 2444 Hlgimqhf.exe 2836 Iliebpfc.exe 2856 Ieajkfmd.exe 2692 Illbhp32.exe 1500 Iahkpg32.exe 3036 Idgglb32.exe 272 Inlkik32.exe 2672 Idicbbpi.exe 1856 Ioohokoo.exe 2072 Ihglhp32.exe 1832 Iihiphln.exe 1836 Jdnmma32.exe 1472 Jkhejkcq.exe 1092 Jliaac32.exe 3048 Jimbkh32.exe 1708 Jlkngc32.exe 896 Jioopgef.exe 780 Jlnklcej.exe 2576 Jpigma32.exe 2420 Jialfgcc.exe 1680 Jampjian.exe 2544 Kdklfe32.exe 1576 Koaqcn32.exe 1784 Kaompi32.exe 768 Knfndjdp.exe 2820 Kpdjaecc.exe 2712 Kjmnjkjd.exe 2640 Kcecbq32.exe 2652 Kklkcn32.exe 2724 Kpicle32.exe 2104 Kddomchg.exe 1172 Kffldlne.exe 1588 Kjahej32.exe 1860 Lcjlnpmo.exe 1872 Lpnmgdli.exe 1764 Lclicpkm.exe 1736 Lfkeokjp.exe 2952 Ljfapjbi.exe 1036 Ldpbpgoh.exe 980 Lkjjma32.exe 1700 Loefnpnn.exe 1560 Lhnkffeo.exe 2192 Lbfook32.exe 1888 Lddlkg32.exe 2356 Lhpglecl.exe 1740 Mkndhabp.exe 2312 Mnmpdlac.exe 2976 Mqklqhpg.exe 2320 Mgedmb32.exe 2800 Mjcaimgg.exe 2752 Mmbmeifk.exe 2624 Mclebc32.exe 2620 Mggabaea.exe 760 Mmdjkhdh.exe 2848 Mqpflg32.exe 2892 Mfmndn32.exe 2212 Mikjpiim.exe 2304 Mqbbagjo.exe 1796 Mpebmc32.exe 1512 Mfokinhf.exe 2364 Mimgeigj.exe 2512 Mklcadfn.exe -
Loads dropped DLL 64 IoCs
pid Process 2936 80400ba28ecd0ee09e9b5c661480d230N.exe 2936 80400ba28ecd0ee09e9b5c661480d230N.exe 2160 Hfjpdjjo.exe 2160 Hfjpdjjo.exe 2032 Hmdhad32.exe 2032 Hmdhad32.exe 2444 Hlgimqhf.exe 2444 Hlgimqhf.exe 2836 Iliebpfc.exe 2836 Iliebpfc.exe 2856 Ieajkfmd.exe 2856 Ieajkfmd.exe 2692 Illbhp32.exe 2692 Illbhp32.exe 1500 Iahkpg32.exe 1500 Iahkpg32.exe 3036 Idgglb32.exe 3036 Idgglb32.exe 272 Inlkik32.exe 272 Inlkik32.exe 2672 Idicbbpi.exe 2672 Idicbbpi.exe 1856 Ioohokoo.exe 1856 Ioohokoo.exe 2072 Ihglhp32.exe 2072 Ihglhp32.exe 1832 Iihiphln.exe 1832 Iihiphln.exe 1836 Jdnmma32.exe 1836 Jdnmma32.exe 1472 Jkhejkcq.exe 1472 Jkhejkcq.exe 1092 Jliaac32.exe 1092 Jliaac32.exe 3048 Jimbkh32.exe 3048 Jimbkh32.exe 1708 Jlkngc32.exe 1708 Jlkngc32.exe 896 Jioopgef.exe 896 Jioopgef.exe 780 Jlnklcej.exe 780 Jlnklcej.exe 2576 Jpigma32.exe 2576 Jpigma32.exe 2420 Jialfgcc.exe 2420 Jialfgcc.exe 1680 Jampjian.exe 1680 Jampjian.exe 2544 Kdklfe32.exe 2544 Kdklfe32.exe 1576 Koaqcn32.exe 1576 Koaqcn32.exe 1784 Kaompi32.exe 1784 Kaompi32.exe 768 Knfndjdp.exe 768 Knfndjdp.exe 2820 Kpdjaecc.exe 2820 Kpdjaecc.exe 2712 Kjmnjkjd.exe 2712 Kjmnjkjd.exe 2640 Kcecbq32.exe 2640 Kcecbq32.exe 2652 Kklkcn32.exe 2652 Kklkcn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgedmb32.exe Mqklqhpg.exe File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Andgop32.exe Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Bieopm32.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Coacbfii.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Iliebpfc.exe Hlgimqhf.exe File created C:\Windows\SysWOW64\Kpdjaecc.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Jhjpijfl.dll Lbfook32.exe File created C:\Windows\SysWOW64\Nidmfh32.exe Neiaeiii.exe File opened for modification C:\Windows\SysWOW64\Ndqkleln.exe Nabopjmj.exe File opened for modification C:\Windows\SysWOW64\Ieajkfmd.exe Iliebpfc.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Kaompi32.exe File created C:\Windows\SysWOW64\Kklkcn32.exe Kcecbq32.exe File created C:\Windows\SysWOW64\Lclicpkm.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Mpgobc32.exe Mklcadfn.exe File opened for modification C:\Windows\SysWOW64\Neknki32.exe Nbmaon32.exe File created C:\Windows\SysWOW64\Hmdhad32.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cnmfdb32.exe File created C:\Windows\SysWOW64\Ghmhnp32.dll Kklkcn32.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Eicjoa32.dll Npjlhcmd.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Ofhjopbg.exe File created C:\Windows\SysWOW64\Ameaio32.dll Ppnnai32.exe File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Mbellj32.dll Koaqcn32.exe File opened for modification C:\Windows\SysWOW64\Koaqcn32.exe Kdklfe32.exe File created C:\Windows\SysWOW64\Kjmnjkjd.exe Kpdjaecc.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Neiaeiii.exe File opened for modification C:\Windows\SysWOW64\Pcljmdmj.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Afdiondb.exe Acfmcc32.exe File created C:\Windows\SysWOW64\Bodmepdn.dll Akcomepg.exe File created C:\Windows\SysWOW64\Kjoahnho.dll Jampjian.exe File created C:\Windows\SysWOW64\Codfplej.dll Jkhejkcq.exe File created C:\Windows\SysWOW64\Jampjian.exe Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Piicpk32.exe Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Caifjn32.exe Cnkjnb32.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Inlkik32.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mmbmeifk.exe File created C:\Windows\SysWOW64\Mmdjkhdh.exe Mggabaea.exe File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe Nhjjgd32.exe File created C:\Windows\SysWOW64\Gfblih32.dll Olbfagca.exe File opened for modification C:\Windows\SysWOW64\Afffenbp.exe Achjibcl.exe File created C:\Windows\SysWOW64\Ahebaiac.exe Afffenbp.exe File created C:\Windows\SysWOW64\Kmapmi32.dll Bkhhhd32.exe File created C:\Windows\SysWOW64\Mlionk32.dll Illbhp32.exe File created C:\Windows\SysWOW64\Nloone32.dll Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Lfkeokjp.exe Lclicpkm.exe File opened for modification C:\Windows\SysWOW64\Nlcibc32.exe Nidmfh32.exe File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe Bkhhhd32.exe File created C:\Windows\SysWOW64\Cocphf32.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Iahkpg32.exe Illbhp32.exe File created C:\Windows\SysWOW64\Iheegf32.dll Mkndhabp.exe File opened for modification C:\Windows\SysWOW64\Oaghki32.exe Oippjl32.exe File created C:\Windows\SysWOW64\Qjklenpa.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Abnhjmjc.dll Lddlkg32.exe File opened for modification C:\Windows\SysWOW64\Oippjl32.exe Ofadnq32.exe File created C:\Windows\SysWOW64\Ofhjopbg.exe Obmnna32.exe File created C:\Windows\SysWOW64\Paknelgk.exe Pidfdofi.exe File created C:\Windows\SysWOW64\Bjpaop32.exe Bgaebe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4016 3984 WerFault.exe 224 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclicpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmpibam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfokinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnklcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcaioco.dll" Nmkplgnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" Accqnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklpemb.dll" Ohiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" Acfmcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofadnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" Cnfqccna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlgimqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncnhl32.dll" Mqpflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpigma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpicle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdahei.dll" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goembl32.dll" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfkdo32.dll" Ofadnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2160 2936 80400ba28ecd0ee09e9b5c661480d230N.exe 30 PID 2936 wrote to memory of 2160 2936 80400ba28ecd0ee09e9b5c661480d230N.exe 30 PID 2936 wrote to memory of 2160 2936 80400ba28ecd0ee09e9b5c661480d230N.exe 30 PID 2936 wrote to memory of 2160 2936 80400ba28ecd0ee09e9b5c661480d230N.exe 30 PID 2160 wrote to memory of 2032 2160 Hfjpdjjo.exe 31 PID 2160 wrote to memory of 2032 2160 Hfjpdjjo.exe 31 PID 2160 wrote to memory of 2032 2160 Hfjpdjjo.exe 31 PID 2160 wrote to memory of 2032 2160 Hfjpdjjo.exe 31 PID 2032 wrote to memory of 2444 2032 Hmdhad32.exe 32 PID 2032 wrote to memory of 2444 2032 Hmdhad32.exe 32 PID 2032 wrote to memory of 2444 2032 Hmdhad32.exe 32 PID 2032 wrote to memory of 2444 2032 Hmdhad32.exe 32 PID 2444 wrote to memory of 2836 2444 Hlgimqhf.exe 33 PID 2444 wrote to memory of 2836 2444 Hlgimqhf.exe 33 PID 2444 wrote to memory of 2836 2444 Hlgimqhf.exe 33 PID 2444 wrote to memory of 2836 2444 Hlgimqhf.exe 33 PID 2836 wrote to memory of 2856 2836 Iliebpfc.exe 34 PID 2836 wrote to memory of 2856 2836 Iliebpfc.exe 34 PID 2836 wrote to memory of 2856 2836 Iliebpfc.exe 34 PID 2836 wrote to memory of 2856 2836 Iliebpfc.exe 34 PID 2856 wrote to memory of 2692 2856 Ieajkfmd.exe 35 PID 2856 wrote to memory of 2692 2856 Ieajkfmd.exe 35 PID 2856 wrote to memory of 2692 2856 Ieajkfmd.exe 35 PID 2856 wrote to memory of 2692 2856 Ieajkfmd.exe 35 PID 2692 wrote to memory of 1500 2692 Illbhp32.exe 36 PID 2692 wrote to memory of 1500 2692 Illbhp32.exe 36 PID 2692 wrote to memory of 1500 2692 Illbhp32.exe 36 PID 2692 wrote to memory of 1500 2692 Illbhp32.exe 36 PID 1500 wrote to memory of 3036 1500 Iahkpg32.exe 37 PID 1500 wrote to memory of 3036 1500 Iahkpg32.exe 37 PID 1500 wrote to memory of 3036 1500 Iahkpg32.exe 37 PID 1500 wrote to memory of 3036 1500 Iahkpg32.exe 37 PID 3036 wrote to memory of 272 3036 Idgglb32.exe 38 PID 3036 wrote to memory of 272 3036 Idgglb32.exe 38 PID 3036 wrote to memory of 272 3036 Idgglb32.exe 38 PID 3036 wrote to memory of 272 3036 Idgglb32.exe 38 PID 272 wrote to memory of 2672 272 Inlkik32.exe 39 PID 272 wrote to memory of 2672 272 Inlkik32.exe 39 PID 272 wrote to memory of 2672 272 Inlkik32.exe 39 PID 272 wrote to memory of 2672 272 Inlkik32.exe 39 PID 2672 wrote to memory of 1856 2672 Idicbbpi.exe 40 PID 2672 wrote to memory of 1856 2672 Idicbbpi.exe 40 PID 2672 wrote to memory of 1856 2672 Idicbbpi.exe 40 PID 2672 wrote to memory of 1856 2672 Idicbbpi.exe 40 PID 1856 wrote to memory of 2072 1856 Ioohokoo.exe 41 PID 1856 wrote to memory of 2072 1856 Ioohokoo.exe 41 PID 1856 wrote to memory of 2072 1856 Ioohokoo.exe 41 PID 1856 wrote to memory of 2072 1856 Ioohokoo.exe 41 PID 2072 wrote to memory of 1832 2072 Ihglhp32.exe 42 PID 2072 wrote to memory of 1832 2072 Ihglhp32.exe 42 PID 2072 wrote to memory of 1832 2072 Ihglhp32.exe 42 PID 2072 wrote to memory of 1832 2072 Ihglhp32.exe 42 PID 1832 wrote to memory of 1836 1832 Iihiphln.exe 43 PID 1832 wrote to memory of 1836 1832 Iihiphln.exe 43 PID 1832 wrote to memory of 1836 1832 Iihiphln.exe 43 PID 1832 wrote to memory of 1836 1832 Iihiphln.exe 43 PID 1836 wrote to memory of 1472 1836 Jdnmma32.exe 44 PID 1836 wrote to memory of 1472 1836 Jdnmma32.exe 44 PID 1836 wrote to memory of 1472 1836 Jdnmma32.exe 44 PID 1836 wrote to memory of 1472 1836 Jdnmma32.exe 44 PID 1472 wrote to memory of 1092 1472 Jkhejkcq.exe 45 PID 1472 wrote to memory of 1092 1472 Jkhejkcq.exe 45 PID 1472 wrote to memory of 1092 1472 Jkhejkcq.exe 45 PID 1472 wrote to memory of 1092 1472 Jkhejkcq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\80400ba28ecd0ee09e9b5c661480d230N.exe"C:\Users\Admin\AppData\Local\Temp\80400ba28ecd0ee09e9b5c661480d230N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1172 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe42⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe44⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe61⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe67⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe70⤵PID:2944
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe72⤵PID:2668
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe73⤵PID:1648
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe76⤵PID:2024
-
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe81⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe82⤵PID:2424
-
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe83⤵PID:884
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe85⤵PID:2156
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe86⤵PID:2644
-
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe91⤵PID:1732
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe94⤵PID:1792
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe96⤵PID:2808
-
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe97⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe99⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe100⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe101⤵PID:2344
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe103⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe106⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe108⤵PID:1788
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe109⤵PID:2748
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe110⤵PID:2940
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe111⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe115⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe119⤵PID:2680
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe121⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-