Analysis
-
max time kernel
47s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 18:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe
-
Size
96KB
-
MD5
faba5a97ed59be2a11b9aa2ca3bea4b0
-
SHA1
998d83570122d5304091a7b7a733dd6463d1589c
-
SHA256
1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1f
-
SHA512
84041d9a4b7b3e289770949bf0f536d4086d3b3d8c9618d8a920bbb363b2f812a62714495573fe59733aaa38c51471f9d409f3b5800b815a07659a7d9d01982f
-
SSDEEP
1536:kxCG1N6OS5tHuq6KDloYvGe9E7KGpuIUEw2VwNWkaoR4gvwKTs2Lk1wPPXuhiTMX:PG1Nyp6YloYvGeCVc/8wNWgCgvwyaCPi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjbdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnekcblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcdcjpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmhcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckkhplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpndkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnchg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npngng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdloab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imccab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dicmlpje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homfboco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckilmfke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdjpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakjophb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqoqlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmiclk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjcfjoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gledgkfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnaaljp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdqfajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmhij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeilbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbjpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqamaeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onggom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioochn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alicahno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeahjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfmdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqiakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpncbjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homfboco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkiiom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mognco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafpjljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahhoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclgbgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efllcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomndhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgdpnqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klocba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkfdmpq.exe -
Executes dropped EXE 64 IoCs
pid Process 2420 Njobpa32.exe 2284 Ngcbie32.exe 2728 Npngng32.exe 2776 Onfadc32.exe 2924 Opennf32.exe 2784 Oebffm32.exe 1588 Obffpa32.exe 2672 Pegpamoo.exe 2888 Pjchjcmf.exe 2156 Piiekp32.exe 2968 Pmijgn32.exe 2200 Qpjchicb.exe 2480 Qibhao32.exe 432 Akfaof32.exe 2316 Anfjpa32.exe 1472 Ahlnmjkf.exe 2108 Aefhpc32.exe 1864 Bjdqfajl.exe 936 Bhjngnod.exe 2192 Bocfch32.exe 2504 Bhljlnma.exe 1464 Bbflkcao.exe 1972 Bgcdcjpf.exe 276 Cmbiap32.exe 3024 Cfknjfbl.exe 1736 Cqcomn32.exe 1580 Dfbdje32.exe 1648 Dicmlpje.exe 2168 Dghjmlnm.exe 2840 Dbmnjenb.exe 2752 Ehopnk32.exe 2916 Eiplecnc.exe 2644 Epmahmcm.exe 2740 Fkmhij32.exe 1804 Feeilbhg.exe 2324 Fomndhng.exe 2892 Fhfbmn32.exe 2860 Gcapckod.exe 2408 Gljdlq32.exe 1308 Geeekf32.exe 1048 Gegbpe32.exe 3000 Hnbgdh32.exe 2444 Hdloab32.exe 1668 Hgmhcm32.exe 1980 Hdailaib.exe 2384 Hgbanlfc.exe 2248 Homfboco.exe 1396 Ijbjpg32.exe 2372 Ioochn32.exe 1488 Imccab32.exe 1728 Ibplji32.exe 2236 Ieohfemq.exe 2232 Ingmoj32.exe 2180 Igoagpja.exe 2628 Ibeeeijg.exe 2956 Ikmjnnah.exe 1252 Jajbfeop.exe 2328 Jkpfcnoe.exe 2680 Jckkhplq.exe 3068 Jnppei32.exe 364 Jgidnobg.exe 1696 Jaahgd32.exe 2428 Jbbenlof.exe 684 Jilmkffb.exe -
Loads dropped DLL 64 IoCs
pid Process 2016 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe 2016 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe 2420 Njobpa32.exe 2420 Njobpa32.exe 2284 Ngcbie32.exe 2284 Ngcbie32.exe 2728 Npngng32.exe 2728 Npngng32.exe 2776 Onfadc32.exe 2776 Onfadc32.exe 2924 Opennf32.exe 2924 Opennf32.exe 2784 Oebffm32.exe 2784 Oebffm32.exe 1588 Obffpa32.exe 1588 Obffpa32.exe 2672 Pegpamoo.exe 2672 Pegpamoo.exe 2888 Pjchjcmf.exe 2888 Pjchjcmf.exe 2156 Piiekp32.exe 2156 Piiekp32.exe 2968 Pmijgn32.exe 2968 Pmijgn32.exe 2200 Qpjchicb.exe 2200 Qpjchicb.exe 2480 Qibhao32.exe 2480 Qibhao32.exe 432 Akfaof32.exe 432 Akfaof32.exe 2316 Anfjpa32.exe 2316 Anfjpa32.exe 1472 Ahlnmjkf.exe 1472 Ahlnmjkf.exe 2108 Aefhpc32.exe 2108 Aefhpc32.exe 1864 Bjdqfajl.exe 1864 Bjdqfajl.exe 936 Bhjngnod.exe 936 Bhjngnod.exe 2192 Bocfch32.exe 2192 Bocfch32.exe 2504 Bhljlnma.exe 2504 Bhljlnma.exe 1464 Bbflkcao.exe 1464 Bbflkcao.exe 1972 Bgcdcjpf.exe 1972 Bgcdcjpf.exe 276 Cmbiap32.exe 276 Cmbiap32.exe 3024 Cfknjfbl.exe 3024 Cfknjfbl.exe 1736 Cqcomn32.exe 1736 Cqcomn32.exe 1580 Dfbdje32.exe 1580 Dfbdje32.exe 1648 Dicmlpje.exe 1648 Dicmlpje.exe 2168 Dghjmlnm.exe 2168 Dghjmlnm.exe 2840 Dbmnjenb.exe 2840 Dbmnjenb.exe 2752 Ehopnk32.exe 2752 Ehopnk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qibhao32.exe Qpjchicb.exe File opened for modification C:\Windows\SysWOW64\Jaahgd32.exe Jgidnobg.exe File opened for modification C:\Windows\SysWOW64\Kejdqffo.exe Kjdpcnfi.exe File opened for modification C:\Windows\SysWOW64\Bdknfiea.exe Bonenbgj.exe File created C:\Windows\SysWOW64\Gmgejpfh.dll Efllcf32.exe File opened for modification C:\Windows\SysWOW64\Cjcfjoil.exe Chdjpl32.exe File created C:\Windows\SysWOW64\Dqiakm32.exe Dklibf32.exe File created C:\Windows\SysWOW64\Jceahq32.dll 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe File opened for modification C:\Windows\SysWOW64\Eiplecnc.exe Ehopnk32.exe File opened for modification C:\Windows\SysWOW64\Bjlpjp32.exe Bpdkajic.exe File opened for modification C:\Windows\SysWOW64\Dklibf32.exe Cqfdem32.exe File created C:\Windows\SysWOW64\Glclampi.dll Dqiakm32.exe File created C:\Windows\SysWOW64\Anfjpa32.exe Akfaof32.exe File created C:\Windows\SysWOW64\Bcdbiikn.dll Akfaof32.exe File created C:\Windows\SysWOW64\Lpfagd32.exe Kkiiom32.exe File created C:\Windows\SysWOW64\Llalgdbj.exe Lgdcom32.exe File created C:\Windows\SysWOW64\Plongokk.dll Mgdpnqfn.exe File created C:\Windows\SysWOW64\Amaiklki.exe Qfganb32.exe File opened for modification C:\Windows\SysWOW64\Bonenbgj.exe Bhdmahpn.exe File created C:\Windows\SysWOW64\Glhkoaij.dll Bcedbefd.exe File created C:\Windows\SysWOW64\Epmahmcm.exe Eiplecnc.exe File opened for modification C:\Windows\SysWOW64\Ibplji32.exe Imccab32.exe File created C:\Windows\SysWOW64\Ieeidi32.dll Moikinib.exe File created C:\Windows\SysWOW64\Kkooeblb.dll Qfedhb32.exe File created C:\Windows\SysWOW64\Fhlhmi32.exe Efllcf32.exe File created C:\Windows\SysWOW64\Ehhejkik.dll Bgcdcjpf.exe File created C:\Windows\SysWOW64\Klpdie32.dll Keekeg32.exe File created C:\Windows\SysWOW64\Kgmobc32.dll Laqadknn.exe File opened for modification C:\Windows\SysWOW64\Mgbcha32.exe Mognco32.exe File created C:\Windows\SysWOW64\Bglghdbc.exe Bpbokj32.exe File opened for modification C:\Windows\SysWOW64\Ckilmfke.exe Cnekcblk.exe File opened for modification C:\Windows\SysWOW64\Gledgkfn.exe Fpncbjqj.exe File created C:\Windows\SysWOW64\Lkajof32.dll Gegbpe32.exe File opened for modification C:\Windows\SysWOW64\Hdloab32.exe Hnbgdh32.exe File created C:\Windows\SysWOW64\Njmlqd32.dll Onggom32.exe File opened for modification C:\Windows\SysWOW64\Fplgljbm.exe Fmmjpoci.exe File opened for modification C:\Windows\SysWOW64\Oebffm32.exe Opennf32.exe File created C:\Windows\SysWOW64\Opmaii32.dll Hgmhcm32.exe File created C:\Windows\SysWOW64\Jckkhplq.exe Jkpfcnoe.exe File created C:\Windows\SysWOW64\Gchligab.dll Lpfagd32.exe File opened for modification C:\Windows\SysWOW64\Mgglcqdk.exe Majdkifd.exe File created C:\Windows\SysWOW64\Cjcfjoil.exe Chdjpl32.exe File created C:\Windows\SysWOW64\Dcnchg32.exe Dclgbgbh.exe File created C:\Windows\SysWOW64\Aeahjn32.exe Alicahno.exe File created C:\Windows\SysWOW64\Ghnaaljp.exe Gmhmdc32.exe File created C:\Windows\SysWOW64\Cfknjfbl.exe Cmbiap32.exe File created C:\Windows\SysWOW64\Moncom32.dll Alkpgh32.exe File created C:\Windows\SysWOW64\Icqieocn.dll Jnppei32.exe File opened for modification C:\Windows\SysWOW64\Meojkide.exe Mkiemqdo.exe File created C:\Windows\SysWOW64\Dceehbdo.dll Dklibf32.exe File created C:\Windows\SysWOW64\Ioochn32.exe Ijbjpg32.exe File created C:\Windows\SysWOW64\Hhdflg32.dll Imccab32.exe File created C:\Windows\SysWOW64\Meojkide.exe Mkiemqdo.exe File created C:\Windows\SysWOW64\Qmdfjmdc.dll Alicahno.exe File created C:\Windows\SysWOW64\Pidggp32.dll Bjomoo32.exe File created C:\Windows\SysWOW64\Bcnllf32.dll Dkihli32.exe File created C:\Windows\SysWOW64\Ahlnmjkf.exe Anfjpa32.exe File created C:\Windows\SysWOW64\Pkegca32.dll Bbflkcao.exe File created C:\Windows\SysWOW64\Cqcomn32.exe Cfknjfbl.exe File created C:\Windows\SysWOW64\Gmmpehpj.dll Mqoqlfkl.exe File created C:\Windows\SysWOW64\Cmbiap32.exe Bgcdcjpf.exe File created C:\Windows\SysWOW64\Lmcceiaj.dll Cfknjfbl.exe File created C:\Windows\SysWOW64\Dicmlpje.exe Dfbdje32.exe File created C:\Windows\SysWOW64\Igoagpja.exe Ingmoj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2772 2096 WerFault.exe 196 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfdem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclgbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fomndhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilmkffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkfdmpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmgafjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakjophb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majdkifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaiklki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qibhao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaahgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnmjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imccab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgidnobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplgljbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phphgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcfjoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcdcjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnfjmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pligbekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcapckod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadmenpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmijgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gledgkfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colegflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegpamoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicmlpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdloab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdmahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piiekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqcomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeeeijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckkhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpndkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldlmqml.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacbel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgmhcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmmgafjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfajgn32.dll" Mognco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnoehoj.dll" Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glclampi.dll" Dqiakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll" Gcapckod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ingmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgbmipo.dll" Ghnaaljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majdkifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aneogc32.dll" Flnnfllf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjbdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fadmenpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnnhm32.dll" Lgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqlpph32.dll" Pacbel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfganb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgplhji.dll" Djaedbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Degdgl32.dll" Piiekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfknjfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljdlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moikinib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgcdmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlejbj32.dll" Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibeeeijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbbenlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfffhk32.dll" Fomndhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcedbefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhljlnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhbncoj.dll" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gachcl32.dll" Ioochn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibplji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqamaeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafpjljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkphll.dll" Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdmpmb.dll" Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkmhij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbjpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijlqlam.dll" Fadmenpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gledgkfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcceiaj.dll" Cfknjfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnpnj32.dll" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andgadch.dll" Fmmjpoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calonbcf.dll" Bocfch32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2420 2016 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe 29 PID 2016 wrote to memory of 2420 2016 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe 29 PID 2016 wrote to memory of 2420 2016 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe 29 PID 2016 wrote to memory of 2420 2016 1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe 29 PID 2420 wrote to memory of 2284 2420 Njobpa32.exe 30 PID 2420 wrote to memory of 2284 2420 Njobpa32.exe 30 PID 2420 wrote to memory of 2284 2420 Njobpa32.exe 30 PID 2420 wrote to memory of 2284 2420 Njobpa32.exe 30 PID 2284 wrote to memory of 2728 2284 Ngcbie32.exe 31 PID 2284 wrote to memory of 2728 2284 Ngcbie32.exe 31 PID 2284 wrote to memory of 2728 2284 Ngcbie32.exe 31 PID 2284 wrote to memory of 2728 2284 Ngcbie32.exe 31 PID 2728 wrote to memory of 2776 2728 Npngng32.exe 32 PID 2728 wrote to memory of 2776 2728 Npngng32.exe 32 PID 2728 wrote to memory of 2776 2728 Npngng32.exe 32 PID 2728 wrote to memory of 2776 2728 Npngng32.exe 32 PID 2776 wrote to memory of 2924 2776 Onfadc32.exe 33 PID 2776 wrote to memory of 2924 2776 Onfadc32.exe 33 PID 2776 wrote to memory of 2924 2776 Onfadc32.exe 33 PID 2776 wrote to memory of 2924 2776 Onfadc32.exe 33 PID 2924 wrote to memory of 2784 2924 Opennf32.exe 34 PID 2924 wrote to memory of 2784 2924 Opennf32.exe 34 PID 2924 wrote to memory of 2784 2924 Opennf32.exe 34 PID 2924 wrote to memory of 2784 2924 Opennf32.exe 34 PID 2784 wrote to memory of 1588 2784 Oebffm32.exe 35 PID 2784 wrote to memory of 1588 2784 Oebffm32.exe 35 PID 2784 wrote to memory of 1588 2784 Oebffm32.exe 35 PID 2784 wrote to memory of 1588 2784 Oebffm32.exe 35 PID 1588 wrote to memory of 2672 1588 Obffpa32.exe 36 PID 1588 wrote to memory of 2672 1588 Obffpa32.exe 36 PID 1588 wrote to memory of 2672 1588 Obffpa32.exe 36 PID 1588 wrote to memory of 2672 1588 Obffpa32.exe 36 PID 2672 wrote to memory of 2888 2672 Pegpamoo.exe 37 PID 2672 wrote to memory of 2888 2672 Pegpamoo.exe 37 PID 2672 wrote to memory of 2888 2672 Pegpamoo.exe 37 PID 2672 wrote to memory of 2888 2672 Pegpamoo.exe 37 PID 2888 wrote to memory of 2156 2888 Pjchjcmf.exe 38 PID 2888 wrote to memory of 2156 2888 Pjchjcmf.exe 38 PID 2888 wrote to memory of 2156 2888 Pjchjcmf.exe 38 PID 2888 wrote to memory of 2156 2888 Pjchjcmf.exe 38 PID 2156 wrote to memory of 2968 2156 Piiekp32.exe 39 PID 2156 wrote to memory of 2968 2156 Piiekp32.exe 39 PID 2156 wrote to memory of 2968 2156 Piiekp32.exe 39 PID 2156 wrote to memory of 2968 2156 Piiekp32.exe 39 PID 2968 wrote to memory of 2200 2968 Pmijgn32.exe 40 PID 2968 wrote to memory of 2200 2968 Pmijgn32.exe 40 PID 2968 wrote to memory of 2200 2968 Pmijgn32.exe 40 PID 2968 wrote to memory of 2200 2968 Pmijgn32.exe 40 PID 2200 wrote to memory of 2480 2200 Qpjchicb.exe 41 PID 2200 wrote to memory of 2480 2200 Qpjchicb.exe 41 PID 2200 wrote to memory of 2480 2200 Qpjchicb.exe 41 PID 2200 wrote to memory of 2480 2200 Qpjchicb.exe 41 PID 2480 wrote to memory of 432 2480 Qibhao32.exe 42 PID 2480 wrote to memory of 432 2480 Qibhao32.exe 42 PID 2480 wrote to memory of 432 2480 Qibhao32.exe 42 PID 2480 wrote to memory of 432 2480 Qibhao32.exe 42 PID 432 wrote to memory of 2316 432 Akfaof32.exe 43 PID 432 wrote to memory of 2316 432 Akfaof32.exe 43 PID 432 wrote to memory of 2316 432 Akfaof32.exe 43 PID 432 wrote to memory of 2316 432 Akfaof32.exe 43 PID 2316 wrote to memory of 1472 2316 Anfjpa32.exe 44 PID 2316 wrote to memory of 1472 2316 Anfjpa32.exe 44 PID 2316 wrote to memory of 1472 2316 Anfjpa32.exe 44 PID 2316 wrote to memory of 1472 2316 Anfjpa32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe"C:\Users\Admin\AppData\Local\Temp\1840191a7478a8d8e1f8e7e63deee767210040721446228789459c3524a02c1fN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe34⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe41⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Hdloab32.exeC:\Windows\system32\Hdloab32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe53⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe55⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Ikmjnnah.exeC:\Windows\system32\Ikmjnnah.exe57⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe58⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:364 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Jbbenlof.exeC:\Windows\system32\Jbbenlof.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe69⤵PID:952
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe70⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe72⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe73⤵PID:1556
-
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe75⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe79⤵PID:2856
-
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe80⤵PID:2952
-
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe81⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Mkiemqdo.exeC:\Windows\system32\Mkiemqdo.exe82⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe83⤵PID:2136
-
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Mgglcqdk.exeC:\Windows\system32\Mgglcqdk.exe89⤵PID:2980
-
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe91⤵PID:2764
-
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Nqdjge32.exeC:\Windows\system32\Nqdjge32.exe94⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Nmkklflj.exeC:\Windows\system32\Nmkklflj.exe95⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe96⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe99⤵PID:744
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe100⤵PID:1664
-
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Pacbel32.exeC:\Windows\system32\Pacbel32.exe103⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pligbekc.exeC:\Windows\system32\Pligbekc.exe104⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe108⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe110⤵PID:1300
-
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe112⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe113⤵PID:2224
-
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe114⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Aeahjn32.exeC:\Windows\system32\Aeahjn32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Alkpgh32.exeC:\Windows\system32\Alkpgh32.exe118⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe120⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe121⤵PID:760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-