Analysis
-
max time kernel
59s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 20:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe
-
Size
72KB
-
MD5
1f046cb9beb57fa98936814ce921242b
-
SHA1
d1f01c8fc0649aaee530f391292bf65dc8f703a5
-
SHA256
42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444
-
SHA512
2d4875d792dedc078ddf7068b438a5f4cf2f27b9b488852773055945821639a2d0801d6945cbd077d4bebd2ffe897eec3a5963bcdc0730e5e4805a228619f1da
-
SSDEEP
768:In5uTpHPUYTdy2j7j+vSEbAWOgyHo/xuPo0Gq95mP0pBwqU/1H58rU9UiEb/KEiF:I5upcMy276SFdgw5pBTqFPgUN3QivEtA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedfofig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acabmpem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdghpggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feoihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojjfogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdeokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahnjefcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcdflilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoghklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjlfgml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbigfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqomqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmmja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqamcbcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holqbipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojphmfdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoghklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holcka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjllqke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikaglgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnlhibff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilggal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohfcmhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdflilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nieffgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkechk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofkgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikaglgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopcnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdemegf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkphcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndfclia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Honpqaff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbpio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglgnhgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhcda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iacojc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfddcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfalecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjopbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiabbicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedaddif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbadih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnpfnfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feaeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknjecab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhblp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbboakna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aollklac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boblbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cijmjn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2620 Mjkpjkni.exe 2680 Mmjlfgml.exe 2692 Mbgdonkd.exe 2740 Mpkehbjm.exe 2540 Nieffgok.exe 2980 Ncogge32.exe 2824 Njnion32.exe 2384 Omnapi32.exe 1680 Omqnfiip.exe 1120 Oficoo32.exe 2400 Obbpio32.exe 964 Pgdfbb32.exe 684 Pigkjmap.exe 2112 Pnedpl32.exe 3060 Qhoeqide.exe 2420 Alojlgii.exe 2376 Aopcnbfj.exe 1856 Acbigfii.exe 1124 Acdemegf.exe 3024 Bgbncdmm.exe 2296 Bqjcli32.exe 2888 Bcklmdqn.exe 880 Boblbe32.exe 2280 Beaaplbg.exe 2800 Cnifia32.exe 1572 Cfggccdp.exe 2756 Camlpldf.exe 2700 Caohfl32.exe 1752 Cijmjn32.exe 2976 Doibhekc.exe 2492 Dlmcaijm.exe 588 Emmljodk.exe 2576 Epmdljal.exe 2004 Fieiephm.exe 2504 Fcnmne32.exe 1580 Facjobce.exe 2844 Fgpcgi32.exe 1812 Fddcqm32.exe 2208 Fnlhibff.exe 2916 Fkphcg32.exe 3064 Gckmgi32.exe 1020 Gnaadb32.exe 2064 Gqomqm32.exe 936 Ghkbepop.exe 2340 Gbcgne32.exe 1404 Gkkkgkla.exe 2424 Gddppp32.exe 2304 Gknhlj32.exe 1640 Gfclic32.exe 2176 Holqbipe.exe 2908 Hqmmja32.exe 2668 Hnanceem.exe 2784 Hcnfllcd.exe 3008 Hmfjda32.exe 2968 Hglobj32.exe 2608 Hadckp32.exe 2052 Hgnkgjgh.exe 2000 Icdllk32.exe 1920 Ijodiedi.exe 396 Ilpaqmkg.exe 1700 Ifeenfjm.exe 2924 Ilbnfmhd.exe 1040 Ifhacfhj.exe 1092 Ildjlmfb.exe -
Loads dropped DLL 64 IoCs
pid Process 2168 42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe 2168 42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe 2620 Mjkpjkni.exe 2620 Mjkpjkni.exe 2680 Mmjlfgml.exe 2680 Mmjlfgml.exe 2692 Mbgdonkd.exe 2692 Mbgdonkd.exe 2740 Mpkehbjm.exe 2740 Mpkehbjm.exe 2540 Nieffgok.exe 2540 Nieffgok.exe 2980 Ncogge32.exe 2980 Ncogge32.exe 2824 Njnion32.exe 2824 Njnion32.exe 2384 Omnapi32.exe 2384 Omnapi32.exe 1680 Omqnfiip.exe 1680 Omqnfiip.exe 1120 Oficoo32.exe 1120 Oficoo32.exe 2400 Obbpio32.exe 2400 Obbpio32.exe 964 Pgdfbb32.exe 964 Pgdfbb32.exe 684 Pigkjmap.exe 684 Pigkjmap.exe 2112 Pnedpl32.exe 2112 Pnedpl32.exe 3060 Qhoeqide.exe 3060 Qhoeqide.exe 2420 Alojlgii.exe 2420 Alojlgii.exe 2376 Aopcnbfj.exe 2376 Aopcnbfj.exe 1856 Acbigfii.exe 1856 Acbigfii.exe 1124 Acdemegf.exe 1124 Acdemegf.exe 3024 Bgbncdmm.exe 3024 Bgbncdmm.exe 2296 Bqjcli32.exe 2296 Bqjcli32.exe 2888 Bcklmdqn.exe 2888 Bcklmdqn.exe 880 Boblbe32.exe 880 Boblbe32.exe 2280 Beaaplbg.exe 2280 Beaaplbg.exe 2800 Cnifia32.exe 2800 Cnifia32.exe 1572 Cfggccdp.exe 1572 Cfggccdp.exe 2756 Camlpldf.exe 2756 Camlpldf.exe 2700 Caohfl32.exe 2700 Caohfl32.exe 1752 Cijmjn32.exe 1752 Cijmjn32.exe 2976 Doibhekc.exe 2976 Doibhekc.exe 2492 Dlmcaijm.exe 2492 Dlmcaijm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ligliagg.exe Kpohplpf.exe File created C:\Windows\SysWOW64\Fiiono32.exe Fpqjeiji.exe File opened for modification C:\Windows\SysWOW64\Jmdcecpp.exe Jambpb32.exe File opened for modification C:\Windows\SysWOW64\Eakmdm32.exe Eeemol32.exe File opened for modification C:\Windows\SysWOW64\Acbigfii.exe Aopcnbfj.exe File created C:\Windows\SysWOW64\Qmijij32.exe Plgmabke.exe File created C:\Windows\SysWOW64\Lkoahopa.dll Dbcdlm32.exe File created C:\Windows\SysWOW64\Jgccjenb.exe Jklbed32.exe File created C:\Windows\SysWOW64\Jonmgi32.dll Qhoeqide.exe File opened for modification C:\Windows\SysWOW64\Aacknfhl.exe Agngqmhf.exe File opened for modification C:\Windows\SysWOW64\Doibhekc.exe Cijmjn32.exe File created C:\Windows\SysWOW64\Pfjoeg32.dll Mdmdpd32.exe File opened for modification C:\Windows\SysWOW64\Bnmpcmpi.exe Bllcke32.exe File created C:\Windows\SysWOW64\Ijcdbdkc.dll Kdcnpkog.exe File created C:\Windows\SysWOW64\Gjkclekl.dll Jmmmdd32.exe File created C:\Windows\SysWOW64\Aeiiblhg.dll Kodhbe32.exe File created C:\Windows\SysWOW64\Aonkammc.dll Jbfalecf.exe File created C:\Windows\SysWOW64\Aijoal32.dll Jbdegeei.exe File created C:\Windows\SysWOW64\Mdmdpd32.exe Mkeogn32.exe File created C:\Windows\SysWOW64\Ckfkdffp.dll Mochmm32.exe File created C:\Windows\SysWOW64\Hoacqggo.exe Hgfnlejd.exe File opened for modification C:\Windows\SysWOW64\Kpohplpf.exe Keicbcqp.exe File created C:\Windows\SysWOW64\Mjgihdib.exe Mpodoo32.exe File opened for modification C:\Windows\SysWOW64\Cobkja32.exe Cjebbkbk.exe File created C:\Windows\SysWOW64\Hadckp32.exe Hglobj32.exe File created C:\Windows\SysWOW64\Pjnikd32.dll Ilpaqmkg.exe File created C:\Windows\SysWOW64\Pefoci32.exe Pdebladb.exe File opened for modification C:\Windows\SysWOW64\Chpmocpa.exe Cnjhbjql.exe File opened for modification C:\Windows\SysWOW64\Cnifia32.exe Beaaplbg.exe File created C:\Windows\SysWOW64\Holcka32.exe Hdfoni32.exe File created C:\Windows\SysWOW64\Ohleappp.exe Ofmigm32.exe File created C:\Windows\SysWOW64\Fchigcab.exe Fgaibb32.exe File created C:\Windows\SysWOW64\Oaecne32.exe Olijen32.exe File created C:\Windows\SysWOW64\Oiceffeh.dll Appikd32.exe File created C:\Windows\SysWOW64\Cnfkoc32.dll Gqomqm32.exe File opened for modification C:\Windows\SysWOW64\Nbqjne32.exe Ngkepl32.exe File created C:\Windows\SysWOW64\Pigkjmap.exe Pgdfbb32.exe File created C:\Windows\SysWOW64\Elgodo32.dll Plkgkn32.exe File opened for modification C:\Windows\SysWOW64\Eohhmbjc.exe Eilodk32.exe File created C:\Windows\SysWOW64\Ndmgck32.dll Celnjj32.exe File created C:\Windows\SysWOW64\Jmoqmm32.dll Fdockgqp.exe File created C:\Windows\SysWOW64\Bnmpcmpi.exe Bllcke32.exe File created C:\Windows\SysWOW64\Cfddcn32.exe Cqgkkg32.exe File created C:\Windows\SysWOW64\Mnknch32.dll Omaqoa32.exe File created C:\Windows\SysWOW64\Nonlon32.dll Bnmpcmpi.exe File created C:\Windows\SysWOW64\Kogehdqp.exe Khmmkj32.exe File created C:\Windows\SysWOW64\Cfagmn32.exe Cqeoegfb.exe File created C:\Windows\SysWOW64\Bllcke32.exe Abfonl32.exe File created C:\Windows\SysWOW64\Cbdgok32.dll Gbcgne32.exe File opened for modification C:\Windows\SysWOW64\Ifeenfjm.exe Ilpaqmkg.exe File opened for modification C:\Windows\SysWOW64\Kgdgaflh.exe Kmlbia32.exe File created C:\Windows\SysWOW64\Nkddkk32.exe Nfglcd32.exe File created C:\Windows\SysWOW64\Gldgomqc.dll Hglobj32.exe File created C:\Windows\SysWOW64\Mkpkplih.exe Mcdflilm.exe File created C:\Windows\SysWOW64\Aeedhf32.exe Aollklac.exe File created C:\Windows\SysWOW64\Ifmgljnf.dll Agkjknji.exe File created C:\Windows\SysWOW64\Efeblnbp.exe Eiabbicf.exe File created C:\Windows\SysWOW64\Cbkdhohk.exe Cmnlphjd.exe File opened for modification C:\Windows\SysWOW64\Jifmgman.exe Jakhckdb.exe File created C:\Windows\SysWOW64\Fgaibb32.exe Finhinmd.exe File created C:\Windows\SysWOW64\Aclhap32.exe Ajddik32.exe File created C:\Windows\SysWOW64\Jbfalecf.exe Jmjidneo.exe File created C:\Windows\SysWOW64\Nmohjopk.exe Mcfcai32.exe File created C:\Windows\SysWOW64\Dlmponfo.dll Iidccj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4228 4204 WerFault.exe 346 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boblbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkkgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doibhekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goojldgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holcka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdebladb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daognhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogipbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camlpldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmljodk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkdhohk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finhinmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamcbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjabhjec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkgkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeedhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclnfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolojejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbpio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnanceem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijipbchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmknipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hodpfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjqkhkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjhbjql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimlhgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioqhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obllai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnleahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqpejh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfagmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlhibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfddcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkgldag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjidneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klaojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifmgman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddcqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhcda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfeqgikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkepfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjlfgml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkqmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jambpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnheniaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqgkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkehbjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacojc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqeoegfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgaibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdippej.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikaglgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkepl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mekoii32.dll" Feoihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnfdpgo.dll" Gknjecab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlmcaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepllj32.dll" Kedaddif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnpen32.dll" Llhejldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blmdnmbn.dll" Jklbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjlcjpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofkgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boekqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onancd32.dll" Dimlhgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbgdonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Facjobce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajindjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqnfcjo.dll" Cjebbkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohleappp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemnml32.dll" Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoojcjh.dll" Kamooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpinlpk.dll" Mqkked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnnkmdfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnlhibff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jambpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnlphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbopibgb.dll" Pfflnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iegnom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaecne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoiof32.dll" Blaficqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfcai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olijen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdodc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olijen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgemal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefdjmig.dll" Cbhahigb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedaddif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmigm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmnck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acbigfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilicgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnheniaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioqhed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqomqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peclcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmponfo.dll" Iidccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmiicj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcnmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finhinmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhmnl32.dll" Hodpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdockgqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phifln32.dll" Fddcqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoeecda.dll" Dnkhcnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joblme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkaib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgjcj32.dll" Bfojhngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndbbolm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2620 2168 42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe 29 PID 2168 wrote to memory of 2620 2168 42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe 29 PID 2168 wrote to memory of 2620 2168 42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe 29 PID 2168 wrote to memory of 2620 2168 42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe 29 PID 2620 wrote to memory of 2680 2620 Mjkpjkni.exe 30 PID 2620 wrote to memory of 2680 2620 Mjkpjkni.exe 30 PID 2620 wrote to memory of 2680 2620 Mjkpjkni.exe 30 PID 2620 wrote to memory of 2680 2620 Mjkpjkni.exe 30 PID 2680 wrote to memory of 2692 2680 Mmjlfgml.exe 31 PID 2680 wrote to memory of 2692 2680 Mmjlfgml.exe 31 PID 2680 wrote to memory of 2692 2680 Mmjlfgml.exe 31 PID 2680 wrote to memory of 2692 2680 Mmjlfgml.exe 31 PID 2692 wrote to memory of 2740 2692 Mbgdonkd.exe 32 PID 2692 wrote to memory of 2740 2692 Mbgdonkd.exe 32 PID 2692 wrote to memory of 2740 2692 Mbgdonkd.exe 32 PID 2692 wrote to memory of 2740 2692 Mbgdonkd.exe 32 PID 2740 wrote to memory of 2540 2740 Mpkehbjm.exe 33 PID 2740 wrote to memory of 2540 2740 Mpkehbjm.exe 33 PID 2740 wrote to memory of 2540 2740 Mpkehbjm.exe 33 PID 2740 wrote to memory of 2540 2740 Mpkehbjm.exe 33 PID 2540 wrote to memory of 2980 2540 Nieffgok.exe 34 PID 2540 wrote to memory of 2980 2540 Nieffgok.exe 34 PID 2540 wrote to memory of 2980 2540 Nieffgok.exe 34 PID 2540 wrote to memory of 2980 2540 Nieffgok.exe 34 PID 2980 wrote to memory of 2824 2980 Ncogge32.exe 35 PID 2980 wrote to memory of 2824 2980 Ncogge32.exe 35 PID 2980 wrote to memory of 2824 2980 Ncogge32.exe 35 PID 2980 wrote to memory of 2824 2980 Ncogge32.exe 35 PID 2824 wrote to memory of 2384 2824 Njnion32.exe 36 PID 2824 wrote to memory of 2384 2824 Njnion32.exe 36 PID 2824 wrote to memory of 2384 2824 Njnion32.exe 36 PID 2824 wrote to memory of 2384 2824 Njnion32.exe 36 PID 2384 wrote to memory of 1680 2384 Omnapi32.exe 37 PID 2384 wrote to memory of 1680 2384 Omnapi32.exe 37 PID 2384 wrote to memory of 1680 2384 Omnapi32.exe 37 PID 2384 wrote to memory of 1680 2384 Omnapi32.exe 37 PID 1680 wrote to memory of 1120 1680 Omqnfiip.exe 38 PID 1680 wrote to memory of 1120 1680 Omqnfiip.exe 38 PID 1680 wrote to memory of 1120 1680 Omqnfiip.exe 38 PID 1680 wrote to memory of 1120 1680 Omqnfiip.exe 38 PID 1120 wrote to memory of 2400 1120 Oficoo32.exe 39 PID 1120 wrote to memory of 2400 1120 Oficoo32.exe 39 PID 1120 wrote to memory of 2400 1120 Oficoo32.exe 39 PID 1120 wrote to memory of 2400 1120 Oficoo32.exe 39 PID 2400 wrote to memory of 964 2400 Obbpio32.exe 40 PID 2400 wrote to memory of 964 2400 Obbpio32.exe 40 PID 2400 wrote to memory of 964 2400 Obbpio32.exe 40 PID 2400 wrote to memory of 964 2400 Obbpio32.exe 40 PID 964 wrote to memory of 684 964 Pgdfbb32.exe 41 PID 964 wrote to memory of 684 964 Pgdfbb32.exe 41 PID 964 wrote to memory of 684 964 Pgdfbb32.exe 41 PID 964 wrote to memory of 684 964 Pgdfbb32.exe 41 PID 684 wrote to memory of 2112 684 Pigkjmap.exe 42 PID 684 wrote to memory of 2112 684 Pigkjmap.exe 42 PID 684 wrote to memory of 2112 684 Pigkjmap.exe 42 PID 684 wrote to memory of 2112 684 Pigkjmap.exe 42 PID 2112 wrote to memory of 3060 2112 Pnedpl32.exe 43 PID 2112 wrote to memory of 3060 2112 Pnedpl32.exe 43 PID 2112 wrote to memory of 3060 2112 Pnedpl32.exe 43 PID 2112 wrote to memory of 3060 2112 Pnedpl32.exe 43 PID 3060 wrote to memory of 2420 3060 Qhoeqide.exe 44 PID 3060 wrote to memory of 2420 3060 Qhoeqide.exe 44 PID 3060 wrote to memory of 2420 3060 Qhoeqide.exe 44 PID 3060 wrote to memory of 2420 3060 Qhoeqide.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe"C:\Users\Admin\AppData\Local\Temp\42a203206fe83c07a853a5307e89f596b34acc27287f1c5e8fb7b7aee8a60444.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Mjkpjkni.exeC:\Windows\system32\Mjkpjkni.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Mmjlfgml.exeC:\Windows\system32\Mmjlfgml.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Mpkehbjm.exeC:\Windows\system32\Mpkehbjm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Nieffgok.exeC:\Windows\system32\Nieffgok.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ncogge32.exeC:\Windows\system32\Ncogge32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Njnion32.exeC:\Windows\system32\Njnion32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Omnapi32.exeC:\Windows\system32\Omnapi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Omqnfiip.exeC:\Windows\system32\Omqnfiip.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Oficoo32.exeC:\Windows\system32\Oficoo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Obbpio32.exeC:\Windows\system32\Obbpio32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Pnedpl32.exeC:\Windows\system32\Pnedpl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Alojlgii.exeC:\Windows\system32\Alojlgii.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Acbigfii.exeC:\Windows\system32\Acbigfii.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Bgbncdmm.exeC:\Windows\system32\Bgbncdmm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Bcklmdqn.exeC:\Windows\system32\Bcklmdqn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Boblbe32.exeC:\Windows\system32\Boblbe32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Beaaplbg.exeC:\Windows\system32\Beaaplbg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Cnifia32.exeC:\Windows\system32\Cnifia32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Cfggccdp.exeC:\Windows\system32\Cfggccdp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Camlpldf.exeC:\Windows\system32\Camlpldf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Caohfl32.exeC:\Windows\system32\Caohfl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Cijmjn32.exeC:\Windows\system32\Cijmjn32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Dlmcaijm.exeC:\Windows\system32\Dlmcaijm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Emmljodk.exeC:\Windows\system32\Emmljodk.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Epmdljal.exeC:\Windows\system32\Epmdljal.exe34⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fieiephm.exeC:\Windows\system32\Fieiephm.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Fgpcgi32.exeC:\Windows\system32\Fgpcgi32.exe38⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fddcqm32.exeC:\Windows\system32\Fddcqm32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Gckmgi32.exeC:\Windows\system32\Gckmgi32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Gqomqm32.exeC:\Windows\system32\Gqomqm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Ghkbepop.exeC:\Windows\system32\Ghkbepop.exe45⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Gbcgne32.exeC:\Windows\system32\Gbcgne32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Gkkkgkla.exeC:\Windows\system32\Gkkkgkla.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe48⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Gknhlj32.exeC:\Windows\system32\Gknhlj32.exe49⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Gfclic32.exeC:\Windows\system32\Gfclic32.exe50⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Holqbipe.exeC:\Windows\system32\Holqbipe.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Hqmmja32.exeC:\Windows\system32\Hqmmja32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Hnanceem.exeC:\Windows\system32\Hnanceem.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Hcnfllcd.exeC:\Windows\system32\Hcnfllcd.exe54⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Hmfjda32.exeC:\Windows\system32\Hmfjda32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Hglobj32.exeC:\Windows\system32\Hglobj32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Hgnkgjgh.exeC:\Windows\system32\Hgnkgjgh.exe58⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Icdllk32.exeC:\Windows\system32\Icdllk32.exe59⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ijodiedi.exeC:\Windows\system32\Ijodiedi.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Ilpaqmkg.exeC:\Windows\system32\Ilpaqmkg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Ifeenfjm.exeC:\Windows\system32\Ifeenfjm.exe62⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ilbnfmhd.exeC:\Windows\system32\Ilbnfmhd.exe63⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ifhacfhj.exeC:\Windows\system32\Ifhacfhj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ildjlmfb.exeC:\Windows\system32\Ildjlmfb.exe65⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ifjoie32.exeC:\Windows\system32\Ifjoie32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Ilggal32.exeC:\Windows\system32\Ilggal32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Iacojc32.exeC:\Windows\system32\Iacojc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Ilicgl32.exeC:\Windows\system32\Ilicgl32.exe69⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Jeahpa32.exeC:\Windows\system32\Jeahpa32.exe70⤵PID:752
-
C:\Windows\SysWOW64\Jmmmdd32.exeC:\Windows\system32\Jmmmdd32.exe71⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Jkqmnh32.exeC:\Windows\system32\Jkqmnh32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Jhengldk.exeC:\Windows\system32\Jhengldk.exe73⤵PID:2872
-
C:\Windows\SysWOW64\Jambpb32.exeC:\Windows\system32\Jambpb32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Jmdcecpp.exeC:\Windows\system32\Jmdcecpp.exe75⤵PID:3048
-
C:\Windows\SysWOW64\Kglgnhgq.exeC:\Windows\system32\Kglgnhgq.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Kbchbi32.exeC:\Windows\system32\Kbchbi32.exe77⤵PID:2556
-
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe78⤵PID:2716
-
C:\Windows\SysWOW64\Kedaddif.exeC:\Windows\system32\Kedaddif.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Kolemj32.exeC:\Windows\system32\Kolemj32.exe80⤵PID:2436
-
C:\Windows\SysWOW64\Klpffn32.exeC:\Windows\system32\Klpffn32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Kamooe32.exeC:\Windows\system32\Kamooe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Kkechk32.exeC:\Windows\system32\Kkechk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Lpbkpa32.exeC:\Windows\system32\Lpbkpa32.exe84⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Lpdhea32.exeC:\Windows\system32\Lpdhea32.exe85⤵PID:2232
-
C:\Windows\SysWOW64\Lkjlcjpb.exeC:\Windows\system32\Lkjlcjpb.exe86⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Lgqmhk32.exeC:\Windows\system32\Lgqmhk32.exe87⤵PID:1900
-
C:\Windows\SysWOW64\Lpiaqqlg.exeC:\Windows\system32\Lpiaqqlg.exe88⤵PID:1448
-
C:\Windows\SysWOW64\Lhdfec32.exeC:\Windows\system32\Lhdfec32.exe89⤵PID:2496
-
C:\Windows\SysWOW64\Lbmknipc.exeC:\Windows\system32\Lbmknipc.exe90⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Mkeogn32.exeC:\Windows\system32\Mkeogn32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe92⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Mochmm32.exeC:\Windows\system32\Mochmm32.exe93⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Mbadih32.exeC:\Windows\system32\Mbadih32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Mgnmao32.exeC:\Windows\system32\Mgnmao32.exe95⤵PID:2780
-
C:\Windows\SysWOW64\Mnheniaa.exeC:\Windows\system32\Mnheniaa.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Mgqigohb.exeC:\Windows\system32\Mgqigohb.exe97⤵PID:1100
-
C:\Windows\SysWOW64\Mbfndggh.exeC:\Windows\system32\Mbfndggh.exe98⤵PID:2252
-
C:\Windows\SysWOW64\Mjabhjec.exeC:\Windows\system32\Mjabhjec.exe99⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Mqkked32.exeC:\Windows\system32\Mqkked32.exe100⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Nedfofig.exeC:\Windows\system32\Nedfofig.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Oeipje32.exeC:\Windows\system32\Oeipje32.exe102⤵PID:560
-
C:\Windows\SysWOW64\Onadck32.exeC:\Windows\system32\Onadck32.exe103⤵PID:1944
-
C:\Windows\SysWOW64\Ofmigm32.exeC:\Windows\system32\Ofmigm32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Ohleappp.exeC:\Windows\system32\Ohleappp.exe105⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Pjmnck32.exeC:\Windows\system32\Pjmnck32.exe106⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Pdebladb.exeC:\Windows\system32\Pdebladb.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Pefoci32.exeC:\Windows\system32\Pefoci32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Pplcabif.exeC:\Windows\system32\Pplcabif.exe109⤵PID:2660
-
C:\Windows\SysWOW64\Pfflnl32.exeC:\Windows\system32\Pfflnl32.exe110⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Pbmlbmfg.exeC:\Windows\system32\Pbmlbmfg.exe111⤵PID:1624
-
C:\Windows\SysWOW64\Phiekdeo.exeC:\Windows\system32\Phiekdeo.exe112⤵PID:1708
-
C:\Windows\SysWOW64\Pabidiko.exeC:\Windows\system32\Pabidiko.exe113⤵PID:2852
-
C:\Windows\SysWOW64\Plgmabke.exeC:\Windows\system32\Plgmabke.exe114⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Qmijij32.exeC:\Windows\system32\Qmijij32.exe115⤵PID:1648
-
C:\Windows\SysWOW64\Qohfcmhf.exeC:\Windows\system32\Qohfcmhf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Qdeokd32.exeC:\Windows\system32\Qdeokd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Akoghnnj.exeC:\Windows\system32\Akoghnnj.exe118⤵PID:1984
-
C:\Windows\SysWOW64\Acjllqke.exeC:\Windows\system32\Acjllqke.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Ajddik32.exeC:\Windows\system32\Ajddik32.exe120⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Aclhap32.exeC:\Windows\system32\Aclhap32.exe121⤵PID:1704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-