Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 08:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe
-
Size
395KB
-
MD5
be67a7267fe8015fe6ee046b77d3a4f0
-
SHA1
4d64fd4d54bc6ef9498495a433bf00f21b7358ea
-
SHA256
76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6
-
SHA512
25e073adb7a3b73e0d3377f9f7fe761d6bb09d6a6a1f0fcd08999b1c3aaed58847bbfbf83d2ef35852d458768b3e8ef47c56f91874957ae2055490f6d21d3c38
-
SSDEEP
6144:ZdxsQDvs4y70u4HXs4yr0u490u4Ds4yvW8lM:y94O0dHc4i0d90dA4X
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egebjmdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdjpfgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkghqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhioioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkkcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffjagko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkpmaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhgba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfllhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpddmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmpeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbchkime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqaode32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkilka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aicmadmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdojnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncipjieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqjqehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhbabif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okinik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lglmefcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjgjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcidkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2708 Dqaode32.exe 2104 Dilchhgg.exe 2872 Dbdham32.exe 2552 Dbgdgm32.exe 1044 Deeqch32.exe 736 Eiciig32.exe 444 Elaeeb32.exe 2176 Enbogmnc.exe 3004 Ecogodlk.exe 2884 Ehmpeb32.exe 1904 Einlmkhp.exe 1896 Ffdilo32.exe 532 Fbkjap32.exe 2180 Fbngfo32.exe 2432 Fhjoof32.exe 1636 Fkilka32.exe 2960 Gaeqmk32.exe 580 Gkpakq32.exe 2016 Gibbgmfe.exe 2300 Ggfbpaeo.exe 2532 Glckihcg.exe 1652 Ggiofa32.exe 1628 Gcppkbia.exe 2700 Hijhhl32.exe 2764 Haemloni.exe 1576 Hhoeii32.exe 2888 Hlmnogkl.exe 2556 Hokjkbkp.exe 2680 Hgfooe32.exe 3044 Honfqb32.exe 1928 Halcmn32.exe 2948 Igkhjdde.exe 1796 Ikfdkc32.exe 2204 Ioiidfon.exe 3012 Igpaec32.exe 2904 Iokfjf32.exe 2088 Ijqjgo32.exe 744 Iciopdca.exe 1868 Imacijjb.exe 2920 Jfjhbo32.exe 2336 Jgkdigfa.exe 660 Joblkegc.exe 1736 Jacibm32.exe 1436 Jgmaog32.exe 1692 Jngilalk.exe 2060 Jbcelp32.exe 1876 Jeaahk32.exe 2320 Jkkjeeke.exe 2220 Jnifaajh.exe 2712 Jahbmlil.exe 2584 Jgbjjf32.exe 2672 Jnlbgq32.exe 568 Jpmooind.exe 816 Kgdgpfnf.exe 1076 Kmaphmln.exe 2540 Kppldhla.exe 2900 Kfidqb32.exe 2628 Kihpmnbb.exe 2268 Kcmdjgbh.exe 1160 Kflafbak.exe 1976 Kijmbnpo.exe 1092 Klhioioc.exe 1644 Kbbakc32.exe 2292 Keango32.exe -
Loads dropped DLL 64 IoCs
pid Process 656 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe 656 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe 2708 Dqaode32.exe 2708 Dqaode32.exe 2104 Dilchhgg.exe 2104 Dilchhgg.exe 2872 Dbdham32.exe 2872 Dbdham32.exe 2552 Dbgdgm32.exe 2552 Dbgdgm32.exe 1044 Deeqch32.exe 1044 Deeqch32.exe 736 Eiciig32.exe 736 Eiciig32.exe 444 Elaeeb32.exe 444 Elaeeb32.exe 2176 Enbogmnc.exe 2176 Enbogmnc.exe 3004 Ecogodlk.exe 3004 Ecogodlk.exe 2884 Ehmpeb32.exe 2884 Ehmpeb32.exe 1904 Einlmkhp.exe 1904 Einlmkhp.exe 1896 Ffdilo32.exe 1896 Ffdilo32.exe 532 Fbkjap32.exe 532 Fbkjap32.exe 2180 Fbngfo32.exe 2180 Fbngfo32.exe 2432 Fhjoof32.exe 2432 Fhjoof32.exe 1636 Fkilka32.exe 1636 Fkilka32.exe 2960 Gaeqmk32.exe 2960 Gaeqmk32.exe 580 Gkpakq32.exe 580 Gkpakq32.exe 2016 Gibbgmfe.exe 2016 Gibbgmfe.exe 2300 Ggfbpaeo.exe 2300 Ggfbpaeo.exe 2532 Glckihcg.exe 2532 Glckihcg.exe 1652 Ggiofa32.exe 1652 Ggiofa32.exe 1628 Gcppkbia.exe 1628 Gcppkbia.exe 2700 Hijhhl32.exe 2700 Hijhhl32.exe 2764 Haemloni.exe 2764 Haemloni.exe 1576 Hhoeii32.exe 1576 Hhoeii32.exe 2888 Hlmnogkl.exe 2888 Hlmnogkl.exe 2556 Hokjkbkp.exe 2556 Hokjkbkp.exe 2680 Hgfooe32.exe 2680 Hgfooe32.exe 3044 Honfqb32.exe 3044 Honfqb32.exe 1928 Halcmn32.exe 1928 Halcmn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dbdham32.exe Dilchhgg.exe File opened for modification C:\Windows\SysWOW64\Lolofd32.exe Klmbjh32.exe File created C:\Windows\SysWOW64\Mdojnm32.exe Mneaacno.exe File opened for modification C:\Windows\SysWOW64\Phgannal.exe Pidaba32.exe File created C:\Windows\SysWOW64\Jhpgpkho.dll Epeajo32.exe File created C:\Windows\SysWOW64\Dqaode32.exe 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe File created C:\Windows\SysWOW64\Cplffidh.dll Ggfbpaeo.exe File created C:\Windows\SysWOW64\Blcajboa.dll Jnifaajh.exe File created C:\Windows\SysWOW64\Opnphfdp.dll Faijggao.exe File opened for modification C:\Windows\SysWOW64\Albjnplq.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Dnfhqi32.exe Dochelmj.exe File created C:\Windows\SysWOW64\Gdpemeck.dll Dqaode32.exe File created C:\Windows\SysWOW64\Jpmooind.exe Jnlbgq32.exe File created C:\Windows\SysWOW64\Mghomh32.dll Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Laaabo32.exe Lijiaabk.exe File created C:\Windows\SysWOW64\Pphjan32.dll Ldpnoj32.exe File opened for modification C:\Windows\SysWOW64\Dhiphb32.exe Ddmchcnd.exe File opened for modification C:\Windows\SysWOW64\Ehmpeb32.exe Ecogodlk.exe File created C:\Windows\SysWOW64\Ffdilo32.exe Einlmkhp.exe File created C:\Windows\SysWOW64\Fpflghlp.dll Glckihcg.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Copjlmfa.dll Okinik32.exe File created C:\Windows\SysWOW64\Llpoohik.exe Leegbnan.exe File created C:\Windows\SysWOW64\Lalhgogb.exe Lmalgq32.exe File created C:\Windows\SysWOW64\Iclafh32.dll Pglojj32.exe File created C:\Windows\SysWOW64\Mopdpg32.exe Mhflcm32.exe File opened for modification C:\Windows\SysWOW64\Njhbabif.exe Nbqjqehd.exe File opened for modification C:\Windows\SysWOW64\Onldqejb.exe Oknhdjko.exe File created C:\Windows\SysWOW64\Qaofgc32.exe Qnqjkh32.exe File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Algllb32.dll Hijhhl32.exe File created C:\Windows\SysWOW64\Obdfbbbn.dll Lmalgq32.exe File created C:\Windows\SysWOW64\Bknmok32.exe Bimphc32.exe File opened for modification C:\Windows\SysWOW64\Ckhpejbf.exe Cdngip32.exe File created C:\Windows\SysWOW64\Cdngip32.exe Cpbkhabp.exe File opened for modification C:\Windows\SysWOW64\Keango32.exe Kbbakc32.exe File created C:\Windows\SysWOW64\Jgdinn32.dll Mdojnm32.exe File opened for modification C:\Windows\SysWOW64\Nqpmimbe.exe Nldahn32.exe File created C:\Windows\SysWOW64\Pnnmeh32.exe Pmmqmpdm.exe File created C:\Windows\SysWOW64\Qhincn32.exe Qaofgc32.exe File opened for modification C:\Windows\SysWOW64\Jacibm32.exe Joblkegc.exe File created C:\Windows\SysWOW64\Ejabqi32.exe Ecgjdong.exe File created C:\Windows\SysWOW64\Coladm32.exe Chbihc32.exe File created C:\Windows\SysWOW64\Dochelmj.exe Dhiphb32.exe File created C:\Windows\SysWOW64\Lijiaabk.exe Lglmefcg.exe File created C:\Windows\SysWOW64\Ehbgahjb.dll Adiaommc.exe File created C:\Windows\SysWOW64\Njohaaaf.dll Abnopj32.exe File created C:\Windows\SysWOW64\Kppegfpa.dll Bhdjno32.exe File opened for modification C:\Windows\SysWOW64\Bhdjno32.exe Bdinnqon.exe File created C:\Windows\SysWOW64\Bdinnqon.exe Bnofaf32.exe File opened for modification C:\Windows\SysWOW64\Bdinnqon.exe Bnofaf32.exe File opened for modification C:\Windows\SysWOW64\Boleejag.exe Bhbmip32.exe File opened for modification C:\Windows\SysWOW64\Lhfpdi32.exe Lalhgogb.exe File created C:\Windows\SysWOW64\Igooceih.dll Qhincn32.exe File opened for modification C:\Windows\SysWOW64\Aiaqle32.exe Ajnqphhe.exe File created C:\Windows\SysWOW64\Dangeigl.dll Cnabffeo.exe File created C:\Windows\SysWOW64\Hokjkbkp.exe Hlmnogkl.exe File created C:\Windows\SysWOW64\Epfbllkc.dll Oqkpmaif.exe File created C:\Windows\SysWOW64\Flnndp32.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Enbogmnc.exe Elaeeb32.exe File created C:\Windows\SysWOW64\Lmalgq32.exe Llpoohik.exe File created C:\Windows\SysWOW64\Odacbpee.exe Obcffefa.exe File created C:\Windows\SysWOW64\Dljfocan.dll Bikcbc32.exe File created C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3220 3116 WerFault.exe 298 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalhgogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidaba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfqlkfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpddmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaphmln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmmbqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcohbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihpmnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfglfdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odacbpee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfbpaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halcmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhkcnfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keango32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajkbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkihofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibbgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koibpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjqehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjgkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbjdj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokahpfn.dll" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphmpc32.dll" Lalhgogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebeabe.dll" Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgalk32.dll" Laaabo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhbgpia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noggch32.dll" Mopdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll" Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjjco32.dll" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgqion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhpejbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haemloni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phgannal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbkhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcplf32.dll" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaceogh.dll" Ajldkhjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbqkeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll" Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noingpnc.dll" Dbgdgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblfonpc.dll" Mnhnfckm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaflgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Einlmkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmod32.dll" Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejapnc32.dll" Mkibjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgcdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" Efmlqigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfaqfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpoodc32.dll" Mhdpnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okinik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lglmefcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbelhkp.dll" Nnlhab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgjdong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcmnk32.dll" Ahngomkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emgdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcggef32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 656 wrote to memory of 2708 656 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe 30 PID 656 wrote to memory of 2708 656 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe 30 PID 656 wrote to memory of 2708 656 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe 30 PID 656 wrote to memory of 2708 656 76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe 30 PID 2708 wrote to memory of 2104 2708 Dqaode32.exe 31 PID 2708 wrote to memory of 2104 2708 Dqaode32.exe 31 PID 2708 wrote to memory of 2104 2708 Dqaode32.exe 31 PID 2708 wrote to memory of 2104 2708 Dqaode32.exe 31 PID 2104 wrote to memory of 2872 2104 Dilchhgg.exe 32 PID 2104 wrote to memory of 2872 2104 Dilchhgg.exe 32 PID 2104 wrote to memory of 2872 2104 Dilchhgg.exe 32 PID 2104 wrote to memory of 2872 2104 Dilchhgg.exe 32 PID 2872 wrote to memory of 2552 2872 Dbdham32.exe 33 PID 2872 wrote to memory of 2552 2872 Dbdham32.exe 33 PID 2872 wrote to memory of 2552 2872 Dbdham32.exe 33 PID 2872 wrote to memory of 2552 2872 Dbdham32.exe 33 PID 2552 wrote to memory of 1044 2552 Dbgdgm32.exe 34 PID 2552 wrote to memory of 1044 2552 Dbgdgm32.exe 34 PID 2552 wrote to memory of 1044 2552 Dbgdgm32.exe 34 PID 2552 wrote to memory of 1044 2552 Dbgdgm32.exe 34 PID 1044 wrote to memory of 736 1044 Deeqch32.exe 35 PID 1044 wrote to memory of 736 1044 Deeqch32.exe 35 PID 1044 wrote to memory of 736 1044 Deeqch32.exe 35 PID 1044 wrote to memory of 736 1044 Deeqch32.exe 35 PID 736 wrote to memory of 444 736 Eiciig32.exe 36 PID 736 wrote to memory of 444 736 Eiciig32.exe 36 PID 736 wrote to memory of 444 736 Eiciig32.exe 36 PID 736 wrote to memory of 444 736 Eiciig32.exe 36 PID 444 wrote to memory of 2176 444 Elaeeb32.exe 37 PID 444 wrote to memory of 2176 444 Elaeeb32.exe 37 PID 444 wrote to memory of 2176 444 Elaeeb32.exe 37 PID 444 wrote to memory of 2176 444 Elaeeb32.exe 37 PID 2176 wrote to memory of 3004 2176 Enbogmnc.exe 38 PID 2176 wrote to memory of 3004 2176 Enbogmnc.exe 38 PID 2176 wrote to memory of 3004 2176 Enbogmnc.exe 38 PID 2176 wrote to memory of 3004 2176 Enbogmnc.exe 38 PID 3004 wrote to memory of 2884 3004 Ecogodlk.exe 39 PID 3004 wrote to memory of 2884 3004 Ecogodlk.exe 39 PID 3004 wrote to memory of 2884 3004 Ecogodlk.exe 39 PID 3004 wrote to memory of 2884 3004 Ecogodlk.exe 39 PID 2884 wrote to memory of 1904 2884 Ehmpeb32.exe 40 PID 2884 wrote to memory of 1904 2884 Ehmpeb32.exe 40 PID 2884 wrote to memory of 1904 2884 Ehmpeb32.exe 40 PID 2884 wrote to memory of 1904 2884 Ehmpeb32.exe 40 PID 1904 wrote to memory of 1896 1904 Einlmkhp.exe 41 PID 1904 wrote to memory of 1896 1904 Einlmkhp.exe 41 PID 1904 wrote to memory of 1896 1904 Einlmkhp.exe 41 PID 1904 wrote to memory of 1896 1904 Einlmkhp.exe 41 PID 1896 wrote to memory of 532 1896 Ffdilo32.exe 42 PID 1896 wrote to memory of 532 1896 Ffdilo32.exe 42 PID 1896 wrote to memory of 532 1896 Ffdilo32.exe 42 PID 1896 wrote to memory of 532 1896 Ffdilo32.exe 42 PID 532 wrote to memory of 2180 532 Fbkjap32.exe 43 PID 532 wrote to memory of 2180 532 Fbkjap32.exe 43 PID 532 wrote to memory of 2180 532 Fbkjap32.exe 43 PID 532 wrote to memory of 2180 532 Fbkjap32.exe 43 PID 2180 wrote to memory of 2432 2180 Fbngfo32.exe 44 PID 2180 wrote to memory of 2432 2180 Fbngfo32.exe 44 PID 2180 wrote to memory of 2432 2180 Fbngfo32.exe 44 PID 2180 wrote to memory of 2432 2180 Fbngfo32.exe 44 PID 2432 wrote to memory of 1636 2432 Fhjoof32.exe 45 PID 2432 wrote to memory of 1636 2432 Fhjoof32.exe 45 PID 2432 wrote to memory of 1636 2432 Fhjoof32.exe 45 PID 2432 wrote to memory of 1636 2432 Fhjoof32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe"C:\Users\Admin\AppData\Local\Temp\76f71a0ff20c7b03b9d558072a1b95783b333c33057238eaebb85f2871932df6N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe33⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe35⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe38⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe39⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe40⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe42⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe44⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe47⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe48⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe51⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe55⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe60⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe61⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe62⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe68⤵PID:984
-
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe69⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe70⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe72⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe74⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe76⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1216 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe78⤵PID:1316
-
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe81⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe82⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe83⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe85⤵PID:1800
-
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe86⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe89⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe92⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe93⤵PID:2768
-
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe94⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe95⤵PID:2720
-
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe103⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe105⤵PID:2932
-
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe106⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Mnhnfckm.exeC:\Windows\system32\Mnhnfckm.exe107⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe108⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe110⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe111⤵PID:876
-
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe112⤵PID:2924
-
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe114⤵PID:1408
-
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe116⤵PID:2500
-
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe118⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe119⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe121⤵PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-