Analysis
-
max time kernel
39s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 06:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6a30248f39b24dc961234315e210cb00N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6a30248f39b24dc961234315e210cb00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6a30248f39b24dc961234315e210cb00N.exe
-
Size
96KB
-
MD5
6a30248f39b24dc961234315e210cb00
-
SHA1
02f657065a2b54f6b6eb1e636c7571628bbdbc3d
-
SHA256
fc3910ac3edb53147f4707f9cc1696406c9ebbfef1dfde1d80433815844124c6
-
SHA512
e86220f1457a79a1d5a31a075fb6061460981f17ee72d6de8ec28d7ba9aae82fccf32a82597dc7a2756ae80dfdc63454f7fe4f812fc219babc90dcb010557a32
-
SSDEEP
1536:8HBs0P2beiKCMQ+6lgTFR/Jm/rrfY7ehg0HduV9jojTIvjrH:8S0+eiXvT0FRBm/fY6hgwd69jc0vf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpikik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgibdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blipno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khojcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnodgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkbbinig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkeoongd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncipjieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgqmpkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdpnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beadgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ablbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpdnpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbcelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kamlhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khojcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6a30248f39b24dc961234315e210cb00N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odflmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojipjcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekghcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibibfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngilalk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeajo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojeakfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbadagln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokkegmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mclqqeaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moenkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baclaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqhfnifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhioioc.exe -
Executes dropped EXE 64 IoCs
pid Process 2672 Ijidfpci.exe 2652 Ifpelq32.exe 2808 Ingmmn32.exe 2660 Ioiidfon.exe 2620 Ifbaapfk.exe 3028 Iqhfnifq.exe 448 Ibibfa32.exe 2956 Ijqjgo32.exe 2504 Iomcpe32.exe 2880 Ifgklp32.exe 2924 Imacijjb.exe 2284 Jbnlaqhi.exe 1148 Jgkdigfa.exe 2184 Joblkegc.exe 688 Jbphgpfg.exe 2980 Jacibm32.exe 1616 Jngilalk.exe 2068 Jbcelp32.exe 1268 Jeaahk32.exe 1092 Jmlfmn32.exe 1696 Jecnnk32.exe 976 Jfekec32.exe 2444 Jnlbgq32.exe 560 Kjbclamj.exe 664 Kamlhl32.exe 2556 Kppldhla.exe 2792 Kihpmnbb.exe 2572 Kmclmm32.exe 2604 Kijmbnpo.exe 2152 Kmficl32.exe 1208 Klhioioc.exe 1332 Khojcj32.exe 792 Kbenacdm.exe 2824 Klmbjh32.exe 2868 Kjpceebh.exe 3032 Leegbnan.exe 1736 Lalhgogb.exe 1768 Lehdhn32.exe 2368 Ldkdckff.exe 2188 Lmcilp32.exe 2164 Lpaehl32.exe 944 Lijiaabk.exe 900 Lmeebpkd.exe 1368 Lbbnjgik.exe 2036 Lkifkdjm.exe 1812 Lilfgq32.exe 2480 Lmhbgpia.exe 1656 Llkbcl32.exe 2940 Ldbjdj32.exe 2788 Lcdjpfgh.exe 2636 Miocmq32.exe 3064 Mmjomogn.exe 2864 Mpikik32.exe 2968 Mokkegmm.exe 2356 Mgbcfdmo.exe 2608 Meecaa32.exe 2616 Mhdpnm32.exe 2904 Mlolnllf.exe 2132 Monhjgkj.exe 536 Mcidkf32.exe 2136 Mehpga32.exe 980 Miclhpjp.exe 2936 Mlahdkjc.exe 1864 Mopdpg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2640 6a30248f39b24dc961234315e210cb00N.exe 2640 6a30248f39b24dc961234315e210cb00N.exe 2672 Ijidfpci.exe 2672 Ijidfpci.exe 2652 Ifpelq32.exe 2652 Ifpelq32.exe 2808 Ingmmn32.exe 2808 Ingmmn32.exe 2660 Ioiidfon.exe 2660 Ioiidfon.exe 2620 Ifbaapfk.exe 2620 Ifbaapfk.exe 3028 Iqhfnifq.exe 3028 Iqhfnifq.exe 448 Ibibfa32.exe 448 Ibibfa32.exe 2956 Ijqjgo32.exe 2956 Ijqjgo32.exe 2504 Iomcpe32.exe 2504 Iomcpe32.exe 2880 Ifgklp32.exe 2880 Ifgklp32.exe 2924 Imacijjb.exe 2924 Imacijjb.exe 2284 Jbnlaqhi.exe 2284 Jbnlaqhi.exe 1148 Jgkdigfa.exe 1148 Jgkdigfa.exe 2184 Joblkegc.exe 2184 Joblkegc.exe 688 Jbphgpfg.exe 688 Jbphgpfg.exe 2980 Jacibm32.exe 2980 Jacibm32.exe 1616 Jngilalk.exe 1616 Jngilalk.exe 2068 Jbcelp32.exe 2068 Jbcelp32.exe 1268 Jeaahk32.exe 1268 Jeaahk32.exe 1092 Jmlfmn32.exe 1092 Jmlfmn32.exe 1696 Jecnnk32.exe 1696 Jecnnk32.exe 976 Jfekec32.exe 976 Jfekec32.exe 2444 Jnlbgq32.exe 2444 Jnlbgq32.exe 560 Kjbclamj.exe 560 Kjbclamj.exe 664 Kamlhl32.exe 664 Kamlhl32.exe 2556 Kppldhla.exe 2556 Kppldhla.exe 2792 Kihpmnbb.exe 2792 Kihpmnbb.exe 2572 Kmclmm32.exe 2572 Kmclmm32.exe 2604 Kijmbnpo.exe 2604 Kijmbnpo.exe 2152 Kmficl32.exe 2152 Kmficl32.exe 1208 Klhioioc.exe 1208 Klhioioc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhbmip32.exe Bedamd32.exe File created C:\Windows\SysWOW64\Eddjhb32.exe Dmmbge32.exe File opened for modification C:\Windows\SysWOW64\Okpdjjil.exe Oiahnnji.exe File created C:\Windows\SysWOW64\Fdbnboph.dll Dqddmd32.exe File created C:\Windows\SysWOW64\Lmeebpkd.exe Lijiaabk.exe File opened for modification C:\Windows\SysWOW64\Mkibjgli.exe Mhkfnlme.exe File created C:\Windows\SysWOW64\Ncipjieo.exe Ndfpnl32.exe File created C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File opened for modification C:\Windows\SysWOW64\Ammmlcgi.exe Afcdpi32.exe File created C:\Windows\SysWOW64\Iomcpe32.exe Ijqjgo32.exe File created C:\Windows\SysWOW64\Acpchmhl.dll Dnjalhpp.exe File created C:\Windows\SysWOW64\Mlolnllf.exe Mhdpnm32.exe File created C:\Windows\SysWOW64\Pdkooael.dll Ddkgbc32.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fhbbcail.exe File opened for modification C:\Windows\SysWOW64\Nhhehpbc.exe Nfjildbp.exe File opened for modification C:\Windows\SysWOW64\Jacibm32.exe Jbphgpfg.exe File opened for modification C:\Windows\SysWOW64\Pbjifgcd.exe Pfchqf32.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Nfjildbp.exe Nckmpicl.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pgibdjln.exe File created C:\Windows\SysWOW64\Kmpnop32.dll Fbfjkj32.exe File opened for modification C:\Windows\SysWOW64\Jeaahk32.exe Jbcelp32.exe File created C:\Windows\SysWOW64\Dboglhna.exe Dnckki32.exe File created C:\Windows\SysWOW64\Flnndp32.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Kamlhl32.exe Kjbclamj.exe File created C:\Windows\SysWOW64\Kppegfpa.dll Bggjjlnb.exe File opened for modification C:\Windows\SysWOW64\Oddphp32.exe Obecld32.exe File opened for modification C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File opened for modification C:\Windows\SysWOW64\Kihpmnbb.exe Kppldhla.exe File opened for modification C:\Windows\SysWOW64\Eiilge32.exe Efjpkj32.exe File created C:\Windows\SysWOW64\Nnodgbed.exe Nfglfdeb.exe File created C:\Windows\SysWOW64\Hefqbobh.dll Qncfphff.exe File created C:\Windows\SysWOW64\Bggjjlnb.exe Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Dlboca32.exe Ddkgbc32.exe File opened for modification C:\Windows\SysWOW64\Lmeebpkd.exe Lijiaabk.exe File opened for modification C:\Windows\SysWOW64\Leegbnan.exe Kjpceebh.exe File created C:\Windows\SysWOW64\Qadkkc32.dll Kjpceebh.exe File created C:\Windows\SysWOW64\Fedfgejh.exe Fbfjkj32.exe File created C:\Windows\SysWOW64\Qhalbm32.dll Ddmchcnd.exe File created C:\Windows\SysWOW64\Peqiahfi.dll Dkjhjm32.exe File created C:\Windows\SysWOW64\Nknkeg32.exe Ngbpehpj.exe File opened for modification C:\Windows\SysWOW64\Jnlbgq32.exe Jfekec32.exe File created C:\Windows\SysWOW64\Ppfafphp.dll Kmclmm32.exe File created C:\Windows\SysWOW64\Mejmmqpd.exe Mclqqeaq.exe File created C:\Windows\SysWOW64\Hefccdhf.dll Jgkdigfa.exe File created C:\Windows\SysWOW64\Akpcdopi.dll Blkmdodf.exe File opened for modification C:\Windows\SysWOW64\Cpgecq32.exe Cnhhge32.exe File opened for modification C:\Windows\SysWOW64\Afgnkilf.exe Ablbjj32.exe File opened for modification C:\Windows\SysWOW64\Blipno32.exe Bikcbc32.exe File created C:\Windows\SysWOW64\Ldkdckff.exe Lehdhn32.exe File created C:\Windows\SysWOW64\Pphjan32.dll Lmeebpkd.exe File created C:\Windows\SysWOW64\Mcidkf32.exe Monhjgkj.exe File opened for modification C:\Windows\SysWOW64\Ogbldk32.exe Oddphp32.exe File created C:\Windows\SysWOW64\Ockinl32.exe Oehicoom.exe File opened for modification C:\Windows\SysWOW64\Ifgklp32.exe Iomcpe32.exe File opened for modification C:\Windows\SysWOW64\Pmkdhq32.exe Pjlgle32.exe File created C:\Windows\SysWOW64\Npabemib.dll Boeoek32.exe File created C:\Windows\SysWOW64\Fkbhkj32.dll Bojipjcj.exe File created C:\Windows\SysWOW64\Kaemmggl.dll Llkbcl32.exe File opened for modification C:\Windows\SysWOW64\Onjgkf32.exe Okkkoj32.exe File created C:\Windows\SysWOW64\Mqpkpl32.dll Embkbdce.exe File created C:\Windows\SysWOW64\Ebockkal.exe Epqgopbi.exe File opened for modification C:\Windows\SysWOW64\Jbnlaqhi.exe Imacijjb.exe File created C:\Windows\SysWOW64\Jbekkd32.dll Ldkdckff.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3796 3724 WerFault.exe 286 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalhgogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbpehpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdnpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbjdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpjkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbaapfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbclamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boleejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihpmnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlahdkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijmbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjomogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckmpicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgjdong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbenacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioiidfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdjpfgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjgkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfekec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphgpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohmonb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbepkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odacbpee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfibfeh.dll" Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijidfpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlhijgh.dll" Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll" Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghibjjfb.dll" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll" Bhpqcpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqebj32.dll" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhalbm32.dll" Ddmchcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dochelmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odflmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdnej32.dll" Pidaba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefccdhf.dll" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpaehl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkbcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebappk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmhbgpia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiabmg32.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emgdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll" Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qifnhaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pidaba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiilge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll" Cdngip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nckmpicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moenkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doebph32.dll" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbmccel.dll" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecjgio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhnce32.dll" Lalhgogb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pimkbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkjfakb.dll" Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacgfd32.dll" Beadgdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmlfmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2672 2640 6a30248f39b24dc961234315e210cb00N.exe 30 PID 2640 wrote to memory of 2672 2640 6a30248f39b24dc961234315e210cb00N.exe 30 PID 2640 wrote to memory of 2672 2640 6a30248f39b24dc961234315e210cb00N.exe 30 PID 2640 wrote to memory of 2672 2640 6a30248f39b24dc961234315e210cb00N.exe 30 PID 2672 wrote to memory of 2652 2672 Ijidfpci.exe 31 PID 2672 wrote to memory of 2652 2672 Ijidfpci.exe 31 PID 2672 wrote to memory of 2652 2672 Ijidfpci.exe 31 PID 2672 wrote to memory of 2652 2672 Ijidfpci.exe 31 PID 2652 wrote to memory of 2808 2652 Ifpelq32.exe 32 PID 2652 wrote to memory of 2808 2652 Ifpelq32.exe 32 PID 2652 wrote to memory of 2808 2652 Ifpelq32.exe 32 PID 2652 wrote to memory of 2808 2652 Ifpelq32.exe 32 PID 2808 wrote to memory of 2660 2808 Ingmmn32.exe 33 PID 2808 wrote to memory of 2660 2808 Ingmmn32.exe 33 PID 2808 wrote to memory of 2660 2808 Ingmmn32.exe 33 PID 2808 wrote to memory of 2660 2808 Ingmmn32.exe 33 PID 2660 wrote to memory of 2620 2660 Ioiidfon.exe 34 PID 2660 wrote to memory of 2620 2660 Ioiidfon.exe 34 PID 2660 wrote to memory of 2620 2660 Ioiidfon.exe 34 PID 2660 wrote to memory of 2620 2660 Ioiidfon.exe 34 PID 2620 wrote to memory of 3028 2620 Ifbaapfk.exe 35 PID 2620 wrote to memory of 3028 2620 Ifbaapfk.exe 35 PID 2620 wrote to memory of 3028 2620 Ifbaapfk.exe 35 PID 2620 wrote to memory of 3028 2620 Ifbaapfk.exe 35 PID 3028 wrote to memory of 448 3028 Iqhfnifq.exe 36 PID 3028 wrote to memory of 448 3028 Iqhfnifq.exe 36 PID 3028 wrote to memory of 448 3028 Iqhfnifq.exe 36 PID 3028 wrote to memory of 448 3028 Iqhfnifq.exe 36 PID 448 wrote to memory of 2956 448 Ibibfa32.exe 37 PID 448 wrote to memory of 2956 448 Ibibfa32.exe 37 PID 448 wrote to memory of 2956 448 Ibibfa32.exe 37 PID 448 wrote to memory of 2956 448 Ibibfa32.exe 37 PID 2956 wrote to memory of 2504 2956 Ijqjgo32.exe 38 PID 2956 wrote to memory of 2504 2956 Ijqjgo32.exe 38 PID 2956 wrote to memory of 2504 2956 Ijqjgo32.exe 38 PID 2956 wrote to memory of 2504 2956 Ijqjgo32.exe 38 PID 2504 wrote to memory of 2880 2504 Iomcpe32.exe 39 PID 2504 wrote to memory of 2880 2504 Iomcpe32.exe 39 PID 2504 wrote to memory of 2880 2504 Iomcpe32.exe 39 PID 2504 wrote to memory of 2880 2504 Iomcpe32.exe 39 PID 2880 wrote to memory of 2924 2880 Ifgklp32.exe 40 PID 2880 wrote to memory of 2924 2880 Ifgklp32.exe 40 PID 2880 wrote to memory of 2924 2880 Ifgklp32.exe 40 PID 2880 wrote to memory of 2924 2880 Ifgklp32.exe 40 PID 2924 wrote to memory of 2284 2924 Imacijjb.exe 41 PID 2924 wrote to memory of 2284 2924 Imacijjb.exe 41 PID 2924 wrote to memory of 2284 2924 Imacijjb.exe 41 PID 2924 wrote to memory of 2284 2924 Imacijjb.exe 41 PID 2284 wrote to memory of 1148 2284 Jbnlaqhi.exe 42 PID 2284 wrote to memory of 1148 2284 Jbnlaqhi.exe 42 PID 2284 wrote to memory of 1148 2284 Jbnlaqhi.exe 42 PID 2284 wrote to memory of 1148 2284 Jbnlaqhi.exe 42 PID 1148 wrote to memory of 2184 1148 Jgkdigfa.exe 43 PID 1148 wrote to memory of 2184 1148 Jgkdigfa.exe 43 PID 1148 wrote to memory of 2184 1148 Jgkdigfa.exe 43 PID 1148 wrote to memory of 2184 1148 Jgkdigfa.exe 43 PID 2184 wrote to memory of 688 2184 Joblkegc.exe 44 PID 2184 wrote to memory of 688 2184 Joblkegc.exe 44 PID 2184 wrote to memory of 688 2184 Joblkegc.exe 44 PID 2184 wrote to memory of 688 2184 Joblkegc.exe 44 PID 688 wrote to memory of 2980 688 Jbphgpfg.exe 45 PID 688 wrote to memory of 2980 688 Jbphgpfg.exe 45 PID 688 wrote to memory of 2980 688 Jbphgpfg.exe 45 PID 688 wrote to memory of 2980 688 Jbphgpfg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a30248f39b24dc961234315e210cb00N.exe"C:\Users\Admin\AppData\Local\Temp\6a30248f39b24dc961234315e210cb00N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe37⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe45⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe46⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe47⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe61⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe63⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe65⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe67⤵PID:2052
-
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe68⤵PID:2752
-
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe70⤵PID:2684
-
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe71⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe72⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe73⤵PID:2180
-
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe75⤵PID:1516
-
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe76⤵PID:572
-
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe77⤵PID:2216
-
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe78⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe79⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe81⤵PID:1776
-
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe82⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe83⤵PID:2588
-
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe84⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe88⤵PID:1808
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe89⤵PID:1912
-
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe91⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Nhhehpbc.exeC:\Windows\system32\Nhhehpbc.exe92⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe93⤵PID:1944
-
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe94⤵PID:2464
-
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe95⤵PID:740
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe96⤵PID:1876
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe98⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe99⤵PID:2568
-
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe100⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe104⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe105⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe106⤵PID:1740
-
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe107⤵PID:1248
-
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe108⤵PID:2776
-
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe110⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe111⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe112⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe113⤵PID:2140
-
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe116⤵PID:580
-
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe119⤵PID:1280
-
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe121⤵PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-