Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe
-
Size
439KB
-
MD5
f3e446a6718f04b71018d18e4037f530
-
SHA1
1d5e751c0a853f9520990b7249265e284cd7fe3a
-
SHA256
152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9
-
SHA512
eece422131bb83935a85a7309e48c78a032535b7ea171dbd538367a76cc07e7cb02dced4dcf9a4c71b5be0f58d704fc3455cf69ffdf2b1ae97555950927b272d
-
SSDEEP
12288:tk+PPeKm2OPeKm22Vtp90NtmVtp90NtXONt:zpEkpEY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqbeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlnjcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajkbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcehg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoeplfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnlpaln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbedkhie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfjcdln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcdfmqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllakpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjddnjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bneancnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbijcgbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbjni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmcfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfjcdln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfhkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgannal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbnec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkebolm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effhic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmnlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feobac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpiacp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkelme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcchgini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogddhmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfajia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doijcjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqffonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebofcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnodgbed.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Kjbclamj.exe 3052 Kckhdg32.exe 2716 Lajkbp32.exe 2656 Lmalgq32.exe 2544 Mokkegmm.exe 1324 Mlolnllf.exe 2224 Nknkeg32.exe 1640 Nnodgbed.exe 1420 Onldqejb.exe 2392 Ojceef32.exe 1968 Phgannal.exe 760 Qifnhaho.exe 3004 Adgein32.exe 2936 Ablbjj32.exe 2916 Cncolfcl.exe 968 Cnflae32.exe 1476 Clkicbfa.exe 2068 Djoeki32.exe 1976 Eikimeff.exe 756 Ebcmfj32.exe 2352 Fbhfajia.exe 2288 Fjfhkl32.exe 1944 Gfoeel32.exe 2436 Gampaipe.exe 1580 Hememgdi.exe 2500 Hafbghhj.exe 2708 Hnmcli32.exe 1688 Ijimli32.exe 2696 Ihnjmf32.exe 2968 Inmpklpj.exe 3064 Jbfkeo32.exe 1236 Jbhhkn32.exe 2908 Kmnlhg32.exe 1252 Kolhdbjh.exe 2404 Llcehg32.exe 1452 Lpanne32.exe 1904 Mohhea32.exe 2052 Ncdpdcfh.exe 2236 Ncfmjc32.exe 2328 Nhcebj32.exe 2268 Negeln32.exe 924 Nanfqo32.exe 1960 Noagjc32.exe 1592 Ohjkcile.exe 1792 Oqepgk32.exe 2060 Onipqp32.exe 2272 Ofdeeb32.exe 1120 Ogdaod32.exe 880 Oqlfhjch.exe 2764 Pmcgmkil.exe 2880 Pfkkeq32.exe 864 Pfnhkq32.exe 2492 Pkjqcg32.exe 2612 Pgaahh32.exe 2900 Peeabm32.exe 1628 Pmqffonj.exe 2816 Qjdgpcmd.exe 2560 Qpaohjkk.exe 1964 Afndjdpe.exe 1036 Aljmbknm.exe 768 Afbnec32.exe 1140 Alofnj32.exe 2948 Alaccj32.exe 2256 Admgglep.exe -
Loads dropped DLL 64 IoCs
pid Process 2700 152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe 2700 152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe 2632 Kjbclamj.exe 2632 Kjbclamj.exe 3052 Kckhdg32.exe 3052 Kckhdg32.exe 2716 Lajkbp32.exe 2716 Lajkbp32.exe 2656 Lmalgq32.exe 2656 Lmalgq32.exe 2544 Mokkegmm.exe 2544 Mokkegmm.exe 1324 Mlolnllf.exe 1324 Mlolnllf.exe 2224 Nknkeg32.exe 2224 Nknkeg32.exe 1640 Nnodgbed.exe 1640 Nnodgbed.exe 1420 Onldqejb.exe 1420 Onldqejb.exe 2392 Ojceef32.exe 2392 Ojceef32.exe 1968 Phgannal.exe 1968 Phgannal.exe 760 Qifnhaho.exe 760 Qifnhaho.exe 3004 Adgein32.exe 3004 Adgein32.exe 2936 Ablbjj32.exe 2936 Ablbjj32.exe 2916 Cncolfcl.exe 2916 Cncolfcl.exe 968 Cnflae32.exe 968 Cnflae32.exe 1476 Clkicbfa.exe 1476 Clkicbfa.exe 2068 Djoeki32.exe 2068 Djoeki32.exe 1976 Eikimeff.exe 1976 Eikimeff.exe 756 Ebcmfj32.exe 756 Ebcmfj32.exe 2352 Fbhfajia.exe 2352 Fbhfajia.exe 2288 Fjfhkl32.exe 2288 Fjfhkl32.exe 1944 Gfoeel32.exe 1944 Gfoeel32.exe 2436 Gampaipe.exe 2436 Gampaipe.exe 1580 Hememgdi.exe 1580 Hememgdi.exe 2500 Hafbghhj.exe 2500 Hafbghhj.exe 2708 Hnmcli32.exe 2708 Hnmcli32.exe 1688 Ijimli32.exe 1688 Ijimli32.exe 2696 Ihnjmf32.exe 2696 Ihnjmf32.exe 2968 Inmpklpj.exe 2968 Inmpklpj.exe 3064 Jbfkeo32.exe 3064 Jbfkeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cobhdhha.exe Cbkgog32.exe File created C:\Windows\SysWOW64\Hpeplh32.dll Iloilcci.exe File opened for modification C:\Windows\SysWOW64\Kbeqjl32.exe Kbcddlnd.exe File created C:\Windows\SysWOW64\Lffohikd.exe Liboodmk.exe File created C:\Windows\SysWOW64\Nilacmgb.dll Peeabm32.exe File opened for modification C:\Windows\SysWOW64\Ipfkabpg.exe Icbkhnan.exe File created C:\Windows\SysWOW64\Hibidc32.exe Hpjeknfi.exe File created C:\Windows\SysWOW64\Gpafgp32.exe Gdkebolm.exe File created C:\Windows\SysWOW64\Jbedkhie.exe Jngkdj32.exe File created C:\Windows\SysWOW64\Anfeop32.exe Qqbeel32.exe File opened for modification C:\Windows\SysWOW64\Eikimeff.exe Djoeki32.exe File opened for modification C:\Windows\SysWOW64\Afndjdpe.exe Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Doijcjde.exe Dcbjni32.exe File opened for modification C:\Windows\SysWOW64\Feobac32.exe Efpbih32.exe File created C:\Windows\SysWOW64\Jcocgkbp.exe Jcmgal32.exe File created C:\Windows\SysWOW64\Fjigapme.dll Ogdaod32.exe File opened for modification C:\Windows\SysWOW64\Lpiacp32.exe Kbeqjl32.exe File created C:\Windows\SysWOW64\Mcpkkhei.dll Pjhpin32.exe File opened for modification C:\Windows\SysWOW64\Bllomg32.exe Bbcjca32.exe File created C:\Windows\SysWOW64\Jglgoc32.dll Bllomg32.exe File opened for modification C:\Windows\SysWOW64\Hdcdfmqe.exe Hhlcal32.exe File created C:\Windows\SysWOW64\Ihpfbd32.dll Cnflae32.exe File opened for modification C:\Windows\SysWOW64\Qpaohjkk.exe Qjdgpcmd.exe File created C:\Windows\SysWOW64\Fnlppbbp.dll Kopnma32.exe File created C:\Windows\SysWOW64\Ekbglc32.dll Ljgkom32.exe File created C:\Windows\SysWOW64\Abeoed32.dll Gpafgp32.exe File created C:\Windows\SysWOW64\Pamlel32.exe Oajopl32.exe File created C:\Windows\SysWOW64\Bmohjooe.exe Bllomg32.exe File opened for modification C:\Windows\SysWOW64\Kqqdjceh.exe Kdjceb32.exe File created C:\Windows\SysWOW64\Bmbccp32.dll Gampaipe.exe File created C:\Windows\SysWOW64\Kmnlhg32.exe Jbhhkn32.exe File created C:\Windows\SysWOW64\Chkfjj32.dll Onipqp32.exe File created C:\Windows\SysWOW64\Fbmmbaal.dll Pfnhkq32.exe File created C:\Windows\SysWOW64\Ohpchcao.dll Bbcjca32.exe File created C:\Windows\SysWOW64\Fgigok32.dll Imkeneja.exe File created C:\Windows\SysWOW64\Lbbpgc32.dll Nmgjee32.exe File opened for modification C:\Windows\SysWOW64\Ndjhpcoe.exe Nbfobllj.exe File opened for modification C:\Windows\SysWOW64\Kolhdbjh.exe Kmnlhg32.exe File opened for modification C:\Windows\SysWOW64\Baealp32.exe Bodhjdcc.exe File opened for modification C:\Windows\SysWOW64\Iokhcodo.exe Ipfkabpg.exe File opened for modification C:\Windows\SysWOW64\Hlcbfnjk.exe Hibidc32.exe File created C:\Windows\SysWOW64\Gapoob32.exe Gegaeabe.exe File created C:\Windows\SysWOW64\Gdbcbcgp.dll Nbfobllj.exe File opened for modification C:\Windows\SysWOW64\Lpanne32.exe Llcehg32.exe File opened for modification C:\Windows\SysWOW64\Ciglaa32.exe Cobhdhha.exe File opened for modification C:\Windows\SysWOW64\Ejiadgkl.exe Ebnmpemq.exe File created C:\Windows\SysWOW64\Nhcedjfb.dll Nldcagaq.exe File created C:\Windows\SysWOW64\Npdbjl32.dll Jlaeab32.exe File opened for modification C:\Windows\SysWOW64\Ljgkom32.exe Lcncbc32.exe File created C:\Windows\SysWOW64\Aaikfkgf.exe Aafnpkii.exe File created C:\Windows\SysWOW64\Ebofcd32.exe Ejdaoa32.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cnflae32.exe File created C:\Windows\SysWOW64\Indhebnm.dll Fbhfajia.exe File opened for modification C:\Windows\SysWOW64\Pgaahh32.exe Pkjqcg32.exe File created C:\Windows\SysWOW64\Ehebqm32.dll Feobac32.exe File opened for modification C:\Windows\SysWOW64\Gapoob32.exe Gegaeabe.exe File opened for modification C:\Windows\SysWOW64\Oeegnj32.exe Ocdnloph.exe File opened for modification C:\Windows\SysWOW64\Pjhpin32.exe Pamlel32.exe File created C:\Windows\SysWOW64\Fpmepl32.dll Cglfndaa.exe File created C:\Windows\SysWOW64\Effhic32.exe Edelakoq.exe File created C:\Windows\SysWOW64\Djakgb32.dll Ebabicfn.exe File opened for modification C:\Windows\SysWOW64\Gfoeel32.exe Fjfhkl32.exe File created C:\Windows\SysWOW64\Honiikpa.exe Hechkfkc.exe File created C:\Windows\SysWOW64\Kcgpfpbq.dll Mhikae32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3744 3728 WerFault.exe 252 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honiikpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafnpkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibidc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hechkfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlaeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doamhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkambhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockdmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doijcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onldqejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjqcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejiadgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nianjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgildi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhgidjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbcddlnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdigkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngencpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibhjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipfkabpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgfdlcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effhic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkldgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhpcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamlel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglfndaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbghhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfeop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgobcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpaohjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcgmkil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfjcdln.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgaahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafeln32.dll" Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqlfhjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laoekk32.dll" Hafbghhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomklqkm.dll" Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoopd32.dll" Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Negeln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjdgpcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacmpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcaafadj.dll" Pdigkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmqgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknkeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kolhdbjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgpfpbq.dll" Mhikae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogddhmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danpld32.dll" Gmoppefc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccahc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmoeong.dll" Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqqdjceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdleiobf.dll" Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgildi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbfobllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbokqlp.dll" Lbplciof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndoelpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhcpnk.dll" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpafgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbof32.dll" Pmmcfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcchgini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpchcao.dll" Bbcjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdfni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdkebolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnhfi32.dll" Nlmffa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfkkeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dleelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpeplh32.dll" Iloilcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbjkg32.dll" Monjcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhllnk32.dll" Hememgdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkckf32.dll" Ncfmjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moqgiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjll32.dll" Effhic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjeknfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmlnjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnpchjd.dll" Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbpgjjo.dll" Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooocab32.dll" Ckchcc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2632 2700 152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe 30 PID 2700 wrote to memory of 2632 2700 152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe 30 PID 2700 wrote to memory of 2632 2700 152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe 30 PID 2700 wrote to memory of 2632 2700 152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe 30 PID 2632 wrote to memory of 3052 2632 Kjbclamj.exe 31 PID 2632 wrote to memory of 3052 2632 Kjbclamj.exe 31 PID 2632 wrote to memory of 3052 2632 Kjbclamj.exe 31 PID 2632 wrote to memory of 3052 2632 Kjbclamj.exe 31 PID 3052 wrote to memory of 2716 3052 Kckhdg32.exe 32 PID 3052 wrote to memory of 2716 3052 Kckhdg32.exe 32 PID 3052 wrote to memory of 2716 3052 Kckhdg32.exe 32 PID 3052 wrote to memory of 2716 3052 Kckhdg32.exe 32 PID 2716 wrote to memory of 2656 2716 Lajkbp32.exe 33 PID 2716 wrote to memory of 2656 2716 Lajkbp32.exe 33 PID 2716 wrote to memory of 2656 2716 Lajkbp32.exe 33 PID 2716 wrote to memory of 2656 2716 Lajkbp32.exe 33 PID 2656 wrote to memory of 2544 2656 Lmalgq32.exe 34 PID 2656 wrote to memory of 2544 2656 Lmalgq32.exe 34 PID 2656 wrote to memory of 2544 2656 Lmalgq32.exe 34 PID 2656 wrote to memory of 2544 2656 Lmalgq32.exe 34 PID 2544 wrote to memory of 1324 2544 Mokkegmm.exe 35 PID 2544 wrote to memory of 1324 2544 Mokkegmm.exe 35 PID 2544 wrote to memory of 1324 2544 Mokkegmm.exe 35 PID 2544 wrote to memory of 1324 2544 Mokkegmm.exe 35 PID 1324 wrote to memory of 2224 1324 Mlolnllf.exe 36 PID 1324 wrote to memory of 2224 1324 Mlolnllf.exe 36 PID 1324 wrote to memory of 2224 1324 Mlolnllf.exe 36 PID 1324 wrote to memory of 2224 1324 Mlolnllf.exe 36 PID 2224 wrote to memory of 1640 2224 Nknkeg32.exe 37 PID 2224 wrote to memory of 1640 2224 Nknkeg32.exe 37 PID 2224 wrote to memory of 1640 2224 Nknkeg32.exe 37 PID 2224 wrote to memory of 1640 2224 Nknkeg32.exe 37 PID 1640 wrote to memory of 1420 1640 Nnodgbed.exe 38 PID 1640 wrote to memory of 1420 1640 Nnodgbed.exe 38 PID 1640 wrote to memory of 1420 1640 Nnodgbed.exe 38 PID 1640 wrote to memory of 1420 1640 Nnodgbed.exe 38 PID 1420 wrote to memory of 2392 1420 Onldqejb.exe 39 PID 1420 wrote to memory of 2392 1420 Onldqejb.exe 39 PID 1420 wrote to memory of 2392 1420 Onldqejb.exe 39 PID 1420 wrote to memory of 2392 1420 Onldqejb.exe 39 PID 2392 wrote to memory of 1968 2392 Ojceef32.exe 40 PID 2392 wrote to memory of 1968 2392 Ojceef32.exe 40 PID 2392 wrote to memory of 1968 2392 Ojceef32.exe 40 PID 2392 wrote to memory of 1968 2392 Ojceef32.exe 40 PID 1968 wrote to memory of 760 1968 Phgannal.exe 41 PID 1968 wrote to memory of 760 1968 Phgannal.exe 41 PID 1968 wrote to memory of 760 1968 Phgannal.exe 41 PID 1968 wrote to memory of 760 1968 Phgannal.exe 41 PID 760 wrote to memory of 3004 760 Qifnhaho.exe 42 PID 760 wrote to memory of 3004 760 Qifnhaho.exe 42 PID 760 wrote to memory of 3004 760 Qifnhaho.exe 42 PID 760 wrote to memory of 3004 760 Qifnhaho.exe 42 PID 3004 wrote to memory of 2936 3004 Adgein32.exe 43 PID 3004 wrote to memory of 2936 3004 Adgein32.exe 43 PID 3004 wrote to memory of 2936 3004 Adgein32.exe 43 PID 3004 wrote to memory of 2936 3004 Adgein32.exe 43 PID 2936 wrote to memory of 2916 2936 Ablbjj32.exe 44 PID 2936 wrote to memory of 2916 2936 Ablbjj32.exe 44 PID 2936 wrote to memory of 2916 2936 Ablbjj32.exe 44 PID 2936 wrote to memory of 2916 2936 Ablbjj32.exe 44 PID 2916 wrote to memory of 968 2916 Cncolfcl.exe 45 PID 2916 wrote to memory of 968 2916 Cncolfcl.exe 45 PID 2916 wrote to memory of 968 2916 Cncolfcl.exe 45 PID 2916 wrote to memory of 968 2916 Cncolfcl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe"C:\Users\Admin\AppData\Local\Temp\152f6ecefb743a72db2e7e1f560a3dc9a500d78feea16ea898a68192ba827af9N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Mohhea32.exeC:\Windows\system32\Mohhea32.exe38⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe39⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe48⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Pfkkeq32.exeC:\Windows\system32\Pfkkeq32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Peeabm32.exeC:\Windows\system32\Peeabm32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe61⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe63⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe65⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe68⤵PID:888
-
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe69⤵PID:2888
-
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe70⤵PID:1472
-
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe71⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe73⤵PID:1412
-
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe74⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe75⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe76⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe79⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe82⤵PID:872
-
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe84⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ejiadgkl.exeC:\Windows\system32\Ejiadgkl.exe85⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe86⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Feobac32.exeC:\Windows\system32\Feobac32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Gnicoh32.exeC:\Windows\system32\Gnicoh32.exe89⤵PID:2996
-
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe90⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe97⤵
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe98⤵PID:1948
-
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe99⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe100⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe102⤵PID:2292
-
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Jlaeab32.exeC:\Windows\system32\Jlaeab32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe105⤵PID:2720
-
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:520 -
C:\Windows\SysWOW64\Jngkdj32.exeC:\Windows\system32\Jngkdj32.exe107⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Jbedkhie.exeC:\Windows\system32\Jbedkhie.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe109⤵PID:1636
-
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe110⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Kihbfg32.exeC:\Windows\system32\Kihbfg32.exe111⤵PID:900
-
C:\Windows\SysWOW64\Kikokf32.exeC:\Windows\system32\Kikokf32.exe112⤵PID:1048
-
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Kbeqjl32.exeC:\Windows\system32\Kbeqjl32.exe114⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Llbnnq32.exeC:\Windows\system32\Llbnnq32.exe117⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe118⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe121⤵PID:992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-