Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 08:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe
-
Size
128KB
-
MD5
9da9f13059ae7b15a5c25baf399073a0
-
SHA1
945eed54a86ef524790d557de0e8df3faf64fd55
-
SHA256
b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2
-
SHA512
0673d0e5cdab05886b9c14eabd7f5b2c0b8205ae3b5bccb1f9ebd820780ec242e2260df2ec02d95f1cac19021fb0e1c58b9db912a68cbbb299d5431ad1bb04bf
-
SSDEEP
3072:EtUAhfWdQZh9tZVEX15teiGpOO1AerDtsr3vhqhEN4MAH+mbp:BO+iZDtZVEF5eOO1AelhEN4Mujp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhiakf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcomce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhejkcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khlili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdjgoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebmjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdcmbgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfgcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbmaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdakniag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inlkik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcogbdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcmfmlen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oijjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjpjgjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omnipjni.exe -
Executes dropped EXE 64 IoCs
pid Process 708 Ipokcdjn.exe 2316 Iapgkl32.exe 1320 Jlelhe32.exe 2880 Jabdql32.exe 2768 Jhlmmfef.exe 2740 Jaeafklf.exe 2620 Jdcmbgkj.exe 2892 Jkmeoa32.exe 1860 Jpjngh32.exe 2904 Jgdfdbhk.exe 1316 Jkpbdq32.exe 1936 Jdhgnf32.exe 1740 Jkbojpna.exe 3004 Jpogbgmi.exe 2288 Kcmcoblm.exe 2988 Knbhlkkc.exe 408 Kpadhg32.exe 2972 Koddccaa.exe 1372 Kgkleabc.exe 2968 Kjihalag.exe 2296 Khlili32.exe 1540 Kpcqnf32.exe 1592 Kcamjb32.exe 336 Kbdmeoob.exe 2568 Kjleflod.exe 1600 Kljabgnh.exe 3068 Kkmand32.exe 2708 Kbgjkn32.exe 2824 Kdefgj32.exe 3020 Knnkpobc.exe 2960 Kdhcli32.exe 2616 Kgfoie32.exe 2192 Lomgjb32.exe 844 Ldjpbign.exe 992 Lghlndfa.exe 536 Lnbdko32.exe 1756 Lqqpgj32.exe 2900 Lcomce32.exe 236 Lkfddc32.exe 2936 Lneaqn32.exe 2928 Lcaiiejc.exe 2984 Lngnfnji.exe 1688 Lqejbiim.exe 1036 Ljnnko32.exe 996 Liqoflfh.exe 1336 Lqhfhigj.exe 2460 Lbicoamh.exe 2532 Mfdopp32.exe 2252 Micklk32.exe 1736 Mkaghg32.exe 1956 Mpmcielb.exe 1300 Mbkpeake.exe 2820 Mfglep32.exe 2872 Miehak32.exe 2600 Mmadbjkk.exe 2636 Mnbpjb32.exe 1480 Mbnljqic.exe 2932 Mfihkoal.exe 1488 Mgjebg32.exe 1140 Mlfacfpc.exe 2940 Mpamde32.exe 2052 Macilmnk.exe 1552 Meoell32.exe 1476 Mngjeamd.exe -
Loads dropped DLL 64 IoCs
pid Process 2344 b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe 2344 b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe 708 Ipokcdjn.exe 708 Ipokcdjn.exe 2316 Iapgkl32.exe 2316 Iapgkl32.exe 1320 Jlelhe32.exe 1320 Jlelhe32.exe 2880 Jabdql32.exe 2880 Jabdql32.exe 2768 Jhlmmfef.exe 2768 Jhlmmfef.exe 2740 Jaeafklf.exe 2740 Jaeafklf.exe 2620 Jdcmbgkj.exe 2620 Jdcmbgkj.exe 2892 Jkmeoa32.exe 2892 Jkmeoa32.exe 1860 Jpjngh32.exe 1860 Jpjngh32.exe 2904 Jgdfdbhk.exe 2904 Jgdfdbhk.exe 1316 Jkpbdq32.exe 1316 Jkpbdq32.exe 1936 Jdhgnf32.exe 1936 Jdhgnf32.exe 1740 Jkbojpna.exe 1740 Jkbojpna.exe 3004 Jpogbgmi.exe 3004 Jpogbgmi.exe 2288 Kcmcoblm.exe 2288 Kcmcoblm.exe 2988 Knbhlkkc.exe 2988 Knbhlkkc.exe 408 Kpadhg32.exe 408 Kpadhg32.exe 2972 Koddccaa.exe 2972 Koddccaa.exe 1372 Kgkleabc.exe 1372 Kgkleabc.exe 2968 Kjihalag.exe 2968 Kjihalag.exe 2296 Khlili32.exe 2296 Khlili32.exe 1540 Kpcqnf32.exe 1540 Kpcqnf32.exe 1592 Kcamjb32.exe 1592 Kcamjb32.exe 336 Kbdmeoob.exe 336 Kbdmeoob.exe 2568 Kjleflod.exe 2568 Kjleflod.exe 1600 Kljabgnh.exe 1600 Kljabgnh.exe 3068 Kkmand32.exe 3068 Kkmand32.exe 2708 Kbgjkn32.exe 2708 Kbgjkn32.exe 2824 Kdefgj32.exe 2824 Kdefgj32.exe 3020 Knnkpobc.exe 3020 Knnkpobc.exe 2960 Kdhcli32.exe 2960 Kdhcli32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kpcqnf32.exe Khlili32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Kmgbdm32.dll Pkoicb32.exe File created C:\Windows\SysWOW64\Cnoglhlh.dll Ncfoch32.exe File created C:\Windows\SysWOW64\Bkpeci32.exe Biaign32.exe File opened for modification C:\Windows\SysWOW64\Kjokokha.exe Kgqocoin.exe File opened for modification C:\Windows\SysWOW64\Akabgebj.exe Ahbekjcf.exe File created C:\Windows\SysWOW64\Akkoig32.exe Qdaglmcb.exe File created C:\Windows\SysWOW64\Ljqglfel.dll Biolanld.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File opened for modification C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File opened for modification C:\Windows\SysWOW64\Jlelhe32.exe Iapgkl32.exe File created C:\Windows\SysWOW64\Afbqkf32.dll Micklk32.exe File created C:\Windows\SysWOW64\Ecploipa.exe Elfcbo32.exe File created C:\Windows\SysWOW64\Fdmhbplb.exe Flfpabkp.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Nckljk32.dll Inlkik32.exe File opened for modification C:\Windows\SysWOW64\Kaajei32.exe Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe File created C:\Windows\SysWOW64\Qcamkjba.dll Adnpkjde.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cinafkkd.exe File opened for modification C:\Windows\SysWOW64\Dkqnoh32.exe Dgeaoinb.exe File created C:\Windows\SysWOW64\Pacnfacn.dll Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Knnkpobc.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Acfdnihk.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Lqqpgj32.exe Lnbdko32.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Ackmih32.exe File created C:\Windows\SysWOW64\Hadlijdb.dll Cpkmcldj.exe File created C:\Windows\SysWOW64\Phhjblpa.exe Pejmfqan.exe File opened for modification C:\Windows\SysWOW64\Ddblgn32.exe Dacpkc32.exe File created C:\Windows\SysWOW64\Obmnna32.exe Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Pgddfe32.dll Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Qqfkln32.exe Qododfek.exe File created C:\Windows\SysWOW64\Cfeepelg.exe Cnnnnh32.exe File created C:\Windows\SysWOW64\Cmhglq32.exe Cjjkpe32.exe File created C:\Windows\SysWOW64\Ggicgopd.exe Gifclb32.exe File created C:\Windows\SysWOW64\Mfokinhf.exe Mcqombic.exe File opened for modification C:\Windows\SysWOW64\Najpll32.exe Nmnclmoj.exe File created C:\Windows\SysWOW64\Obdojcef.exe Opfbngfb.exe File created C:\Windows\SysWOW64\Lpdonf32.dll Kdpfadlm.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Bddlnn32.dll Kpcqnf32.exe File opened for modification C:\Windows\SysWOW64\Mkaghg32.exe Micklk32.exe File opened for modification C:\Windows\SysWOW64\Plmpblnb.exe Pnjofo32.exe File opened for modification C:\Windows\SysWOW64\Mjcaimgg.exe Mgedmb32.exe File created C:\Windows\SysWOW64\Dgeaoinb.exe Dbifnj32.exe File created C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Klpdaf32.exe Kjahej32.exe File created C:\Windows\SysWOW64\Cefhdnca.dll Kjahej32.exe File created C:\Windows\SysWOW64\Gddgejcp.dll Mqbbagjo.exe File opened for modification C:\Windows\SysWOW64\Pkifdd32.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Kbgjkn32.exe Kkmand32.exe File created C:\Windows\SysWOW64\Kjohojml.dll Necogkbo.exe File opened for modification C:\Windows\SysWOW64\Opfbngfb.exe Ohojmjep.exe File opened for modification C:\Windows\SysWOW64\Fnacpffh.exe Fkbgckgd.exe File created C:\Windows\SysWOW64\Aomnhd32.exe Akabgebj.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mccbmh32.exe File created C:\Windows\SysWOW64\Ohojmjep.exe Neqnqofm.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Oioggmmc.exe File created C:\Windows\SysWOW64\Ihniaa32.exe Iikifegp.exe File opened for modification C:\Windows\SysWOW64\Neiaeiii.exe Nameek32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6928 6840 WerFault.exe 694 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikifegp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difnaqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqejbiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcmbgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkpeake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miehak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacljf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkgbapp.dll" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjkkbq.dll" Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmffciep.dll" Cjgoje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknbpmpk.dll" Cicalakk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" Ahgofi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pondgbkk.dll" Bnnaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgigil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjmnknl.dll" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmhbiaf.dll" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkleabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kdnild32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkefk32.dll" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockglf32.dll" Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkhoe32.dll" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniqhlqh.dll" Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncobd32.dll" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjcmap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbjaopk.dll" Bkbaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpbbo32.dll" Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeeakip.dll" Cgkocj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffjig32.dll" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afffenbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbaab32.dll" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imahkg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 708 2344 b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe 30 PID 2344 wrote to memory of 708 2344 b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe 30 PID 2344 wrote to memory of 708 2344 b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe 30 PID 2344 wrote to memory of 708 2344 b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe 30 PID 708 wrote to memory of 2316 708 Ipokcdjn.exe 31 PID 708 wrote to memory of 2316 708 Ipokcdjn.exe 31 PID 708 wrote to memory of 2316 708 Ipokcdjn.exe 31 PID 708 wrote to memory of 2316 708 Ipokcdjn.exe 31 PID 2316 wrote to memory of 1320 2316 Iapgkl32.exe 32 PID 2316 wrote to memory of 1320 2316 Iapgkl32.exe 32 PID 2316 wrote to memory of 1320 2316 Iapgkl32.exe 32 PID 2316 wrote to memory of 1320 2316 Iapgkl32.exe 32 PID 1320 wrote to memory of 2880 1320 Jlelhe32.exe 33 PID 1320 wrote to memory of 2880 1320 Jlelhe32.exe 33 PID 1320 wrote to memory of 2880 1320 Jlelhe32.exe 33 PID 1320 wrote to memory of 2880 1320 Jlelhe32.exe 33 PID 2880 wrote to memory of 2768 2880 Jabdql32.exe 34 PID 2880 wrote to memory of 2768 2880 Jabdql32.exe 34 PID 2880 wrote to memory of 2768 2880 Jabdql32.exe 34 PID 2880 wrote to memory of 2768 2880 Jabdql32.exe 34 PID 2768 wrote to memory of 2740 2768 Jhlmmfef.exe 35 PID 2768 wrote to memory of 2740 2768 Jhlmmfef.exe 35 PID 2768 wrote to memory of 2740 2768 Jhlmmfef.exe 35 PID 2768 wrote to memory of 2740 2768 Jhlmmfef.exe 35 PID 2740 wrote to memory of 2620 2740 Jaeafklf.exe 36 PID 2740 wrote to memory of 2620 2740 Jaeafklf.exe 36 PID 2740 wrote to memory of 2620 2740 Jaeafklf.exe 36 PID 2740 wrote to memory of 2620 2740 Jaeafklf.exe 36 PID 2620 wrote to memory of 2892 2620 Jdcmbgkj.exe 37 PID 2620 wrote to memory of 2892 2620 Jdcmbgkj.exe 37 PID 2620 wrote to memory of 2892 2620 Jdcmbgkj.exe 37 PID 2620 wrote to memory of 2892 2620 Jdcmbgkj.exe 37 PID 2892 wrote to memory of 1860 2892 Jkmeoa32.exe 38 PID 2892 wrote to memory of 1860 2892 Jkmeoa32.exe 38 PID 2892 wrote to memory of 1860 2892 Jkmeoa32.exe 38 PID 2892 wrote to memory of 1860 2892 Jkmeoa32.exe 38 PID 1860 wrote to memory of 2904 1860 Jpjngh32.exe 39 PID 1860 wrote to memory of 2904 1860 Jpjngh32.exe 39 PID 1860 wrote to memory of 2904 1860 Jpjngh32.exe 39 PID 1860 wrote to memory of 2904 1860 Jpjngh32.exe 39 PID 2904 wrote to memory of 1316 2904 Jgdfdbhk.exe 40 PID 2904 wrote to memory of 1316 2904 Jgdfdbhk.exe 40 PID 2904 wrote to memory of 1316 2904 Jgdfdbhk.exe 40 PID 2904 wrote to memory of 1316 2904 Jgdfdbhk.exe 40 PID 1316 wrote to memory of 1936 1316 Jkpbdq32.exe 41 PID 1316 wrote to memory of 1936 1316 Jkpbdq32.exe 41 PID 1316 wrote to memory of 1936 1316 Jkpbdq32.exe 41 PID 1316 wrote to memory of 1936 1316 Jkpbdq32.exe 41 PID 1936 wrote to memory of 1740 1936 Jdhgnf32.exe 42 PID 1936 wrote to memory of 1740 1936 Jdhgnf32.exe 42 PID 1936 wrote to memory of 1740 1936 Jdhgnf32.exe 42 PID 1936 wrote to memory of 1740 1936 Jdhgnf32.exe 42 PID 1740 wrote to memory of 3004 1740 Jkbojpna.exe 43 PID 1740 wrote to memory of 3004 1740 Jkbojpna.exe 43 PID 1740 wrote to memory of 3004 1740 Jkbojpna.exe 43 PID 1740 wrote to memory of 3004 1740 Jkbojpna.exe 43 PID 3004 wrote to memory of 2288 3004 Jpogbgmi.exe 44 PID 3004 wrote to memory of 2288 3004 Jpogbgmi.exe 44 PID 3004 wrote to memory of 2288 3004 Jpogbgmi.exe 44 PID 3004 wrote to memory of 2288 3004 Jpogbgmi.exe 44 PID 2288 wrote to memory of 2988 2288 Kcmcoblm.exe 45 PID 2288 wrote to memory of 2988 2288 Kcmcoblm.exe 45 PID 2288 wrote to memory of 2988 2288 Kcmcoblm.exe 45 PID 2288 wrote to memory of 2988 2288 Kcmcoblm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe"C:\Users\Admin\AppData\Local\Temp\b80ccafd5950aad30390ce088a782bbb9b1eb380a1df7445bc3ed504f09061a2N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe34⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe35⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe38⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe40⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe41⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe42⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe43⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe46⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe47⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe48⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe51⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe52⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe57⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe59⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe60⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe61⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe62⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe63⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe64⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe65⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe67⤵PID:864
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe68⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe69⤵PID:2468
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe70⤵PID:2240
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe71⤵PID:2732
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe72⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe73⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe74⤵PID:2652
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe75⤵PID:1288
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe76⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe77⤵PID:1308
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe78⤵PID:1128
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe79⤵PID:2704
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe80⤵PID:2844
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe81⤵PID:2368
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe82⤵PID:1244
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe83⤵PID:1236
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe84⤵PID:1892
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe85⤵PID:2116
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe86⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe87⤵PID:2384
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe88⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe89⤵PID:2632
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe90⤵PID:2780
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe91⤵PID:2320
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe92⤵PID:380
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe93⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe94⤵PID:2796
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe95⤵PID:2548
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe96⤵PID:2436
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe97⤵PID:988
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe98⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe99⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe100⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe101⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe103⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe104⤵PID:2508
-
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe105⤵PID:1684
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe106⤵PID:484
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe107⤵PID:664
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe108⤵PID:2956
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe109⤵PID:1704
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe110⤵PID:972
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe111⤵PID:1064
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe112⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe113⤵PID:2748
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe114⤵PID:2772
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe115⤵PID:2140
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe116⤵PID:2236
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe117⤵PID:1088
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe119⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe120⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe121⤵PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-