Analysis
-
max time kernel
117s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 17:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe
-
Size
406KB
-
MD5
dff16c30f8ea8fb2b7b94c04397dd710
-
SHA1
2abf9596239423bf678b4e97215ee7d68e84d7a2
-
SHA256
fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1b
-
SHA512
3634238724e97372f64df0e2904b1f8d624c756b52696fae055949ab8baa26a620a9d84864050b4149e0c2a7ffc6d09d8e5e45a32cd6df6002aa4ad0c2993b92
-
SSDEEP
6144:+f6gWITDEKX5U5TXH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:GWAIKG53Ma3M3MvD3Mq3B3Mo3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aikine32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaegha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpccnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbefen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeedio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaegha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbckh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdeonfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeeafii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjkdfjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnmgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdohg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldobjec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpkdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekaab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabjbdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlpphnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogipnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clqjblij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnchjpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflfbdqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjimk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjbcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflgahfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcnihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmceiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockhpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfagjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaklei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgaejeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhegckpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgghidfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcooinfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgllof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfedobef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enijcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooabjbdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifecen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgladc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbilimn.exe -
Executes dropped EXE 64 IoCs
pid Process 2368 Abhnlqlf.exe 2724 Bbkkbpjc.exe 2836 Bgichoqj.exe 2608 Chccfe32.exe 2616 Cdlppf32.exe 2652 Cofaad32.exe 1940 Engnno32.exe 1064 Enijcn32.exe 2920 Epamlegl.exe 1080 Fngjmb32.exe 1864 Gaoiol32.exe 2948 Gmhfjm32.exe 1912 Hkgjge32.exe 2148 Hddgkj32.exe 1632 Ihfmdm32.exe 108 Jflfbdqe.exe 2076 Jimodo32.exe 1008 Knqnmeff.exe 1768 Lbgmah32.exe 340 Lmmaoq32.exe 2024 Lldkem32.exe 2300 Mlidplcf.exe 1388 Mpkjjofe.exe 888 Ngikaijm.exe 1160 Ncbilimn.exe 1696 Nlmjjo32.exe 2720 Odpeop32.exe 2768 Oqfeda32.exe 2796 Pcgnfl32.exe 2108 Pbohmh32.exe 2592 Pikmob32.exe 1732 Qjacai32.exe 2956 Aikine32.exe 2896 Abcngkmp.exe 1680 Bdiciboh.exe 2056 Boohgk32.exe 1756 Bimbbhgh.exe 1964 Condfo32.exe 2060 Ckgapo32.exe 2656 Ddbbod32.exe 1456 Dnkggjpj.exe 1548 Dkohanoc.exe 1728 Dpkpie32.exe 964 Dnoqbi32.exe 3040 Doqmjaac.exe 2016 Djfagjai.exe 2288 Dbaflm32.exe 236 Ecabfpff.exe 2152 Ehnknfdn.exe 2216 Ebfpglkn.exe 2732 Eqklhh32.exe 2828 Ejcaanfg.exe 2596 Edieng32.exe 2748 Edkbdf32.exe 2600 Ffmnloih.exe 3060 Fjkgampo.exe 2480 Fpgpjdnf.exe 2072 Fcehpbdm.exe 2560 Fefdhj32.exe 2904 Fbjeao32.exe 1980 Flcjjdpe.exe 1316 Ghjjoeei.exe 2232 Gdpkdf32.exe 1828 Gadkmj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe 2256 fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe 2368 Abhnlqlf.exe 2368 Abhnlqlf.exe 2724 Bbkkbpjc.exe 2724 Bbkkbpjc.exe 2836 Bgichoqj.exe 2836 Bgichoqj.exe 2608 Chccfe32.exe 2608 Chccfe32.exe 2616 Cdlppf32.exe 2616 Cdlppf32.exe 2652 Cofaad32.exe 2652 Cofaad32.exe 1940 Engnno32.exe 1940 Engnno32.exe 1064 Enijcn32.exe 1064 Enijcn32.exe 2920 Epamlegl.exe 2920 Epamlegl.exe 1080 Fngjmb32.exe 1080 Fngjmb32.exe 1864 Gaoiol32.exe 1864 Gaoiol32.exe 2948 Gmhfjm32.exe 2948 Gmhfjm32.exe 1912 Hkgjge32.exe 1912 Hkgjge32.exe 2148 Hddgkj32.exe 2148 Hddgkj32.exe 1632 Ihfmdm32.exe 1632 Ihfmdm32.exe 108 Jflfbdqe.exe 108 Jflfbdqe.exe 2076 Jimodo32.exe 2076 Jimodo32.exe 1008 Knqnmeff.exe 1008 Knqnmeff.exe 1768 Lbgmah32.exe 1768 Lbgmah32.exe 340 Lmmaoq32.exe 340 Lmmaoq32.exe 2024 Lldkem32.exe 2024 Lldkem32.exe 2300 Mlidplcf.exe 2300 Mlidplcf.exe 1388 Mpkjjofe.exe 1388 Mpkjjofe.exe 888 Ngikaijm.exe 888 Ngikaijm.exe 1160 Ncbilimn.exe 1160 Ncbilimn.exe 1696 Nlmjjo32.exe 1696 Nlmjjo32.exe 2720 Odpeop32.exe 2720 Odpeop32.exe 2768 Oqfeda32.exe 2768 Oqfeda32.exe 2796 Pcgnfl32.exe 2796 Pcgnfl32.exe 2108 Pbohmh32.exe 2108 Pbohmh32.exe 2592 Pikmob32.exe 2592 Pikmob32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dphmiokb.exe Dljdcqek.exe File created C:\Windows\SysWOW64\Fflgahfm.exe Efjklh32.exe File opened for modification C:\Windows\SysWOW64\Knqnmeff.exe Jimodo32.exe File created C:\Windows\SysWOW64\Cidddpbi.dll Bbkmki32.exe File opened for modification C:\Windows\SysWOW64\Ejcaanfg.exe Eqklhh32.exe File created C:\Windows\SysWOW64\Neldbo32.exe Neihmpon.exe File created C:\Windows\SysWOW64\Abpjgekf.exe Abnmae32.exe File created C:\Windows\SysWOW64\Cagpldqg.exe Bbbckh32.exe File created C:\Windows\SysWOW64\Clqjblij.exe Cpjimk32.exe File created C:\Windows\SysWOW64\Jkkkga32.dll Lkbphfab.exe File created C:\Windows\SysWOW64\Caglpoco.dll Oooeeb32.exe File created C:\Windows\SysWOW64\Pgbalblp.dll Pgcmoc32.exe File opened for modification C:\Windows\SysWOW64\Lfnkejeg.exe Lcooinfc.exe File opened for modification C:\Windows\SysWOW64\Engnno32.exe Cofaad32.exe File created C:\Windows\SysWOW64\Bdiciboh.exe Abcngkmp.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Doqmjaac.exe File created C:\Windows\SysWOW64\Iodhfp32.dll Mllcodig.exe File created C:\Windows\SysWOW64\Ddbbod32.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Cjbcfc32.dll Hpehje32.exe File created C:\Windows\SysWOW64\Pqcncnpe.exe Pconjjql.exe File created C:\Windows\SysWOW64\Fbfkce32.dll Fqmobelc.exe File created C:\Windows\SysWOW64\Fhdbgqke.dll Mpkjjofe.exe File created C:\Windows\SysWOW64\Ifecen32.exe Hbgjoo32.exe File created C:\Windows\SysWOW64\Lgomphhn.dll Hkgjge32.exe File opened for modification C:\Windows\SysWOW64\Hejcggee.exe Hhfcnb32.exe File created C:\Windows\SysWOW64\Gaoiol32.exe Fngjmb32.exe File opened for modification C:\Windows\SysWOW64\Fjkgampo.exe Ffmnloih.exe File opened for modification C:\Windows\SysWOW64\Nkhmkf32.exe Neldbo32.exe File opened for modification C:\Windows\SysWOW64\Oodejhfg.exe Oekaab32.exe File created C:\Windows\SysWOW64\Okkfoikl.exe Oodejhfg.exe File opened for modification C:\Windows\SysWOW64\Dhhkiq32.exe Ddjbbbna.exe File opened for modification C:\Windows\SysWOW64\Gmcogf32.exe Fqmobelc.exe File opened for modification C:\Windows\SysWOW64\Bjhgjdjd.exe Bjfkde32.exe File opened for modification C:\Windows\SysWOW64\Eained32.exe Edenlp32.exe File opened for modification C:\Windows\SysWOW64\Epnkfq32.exe Eained32.exe File created C:\Windows\SysWOW64\Gchfgkcp.dll Condfo32.exe File opened for modification C:\Windows\SysWOW64\Akahokho.exe Qbidffao.exe File created C:\Windows\SysWOW64\Pqodpj32.dll Pbohmh32.exe File created C:\Windows\SysWOW64\Eqklhh32.exe Ebfpglkn.exe File created C:\Windows\SysWOW64\Flcjjdpe.exe Fbjeao32.exe File created C:\Windows\SysWOW64\Cmgemh32.dll Kgienc32.exe File created C:\Windows\SysWOW64\Hakani32.exe Gpledf32.exe File opened for modification C:\Windows\SysWOW64\Nhlndj32.exe Nkhmkf32.exe File created C:\Windows\SysWOW64\Ojjaac32.dll Hhfcnb32.exe File created C:\Windows\SysWOW64\Hfpijngn.exe Hmheai32.exe File created C:\Windows\SysWOW64\Pdpfpofk.dll Doclijgd.exe File created C:\Windows\SysWOW64\Edenlp32.exe Ehnmgo32.exe File opened for modification C:\Windows\SysWOW64\Fqgnmo32.exe Fohacl32.exe File opened for modification C:\Windows\SysWOW64\Jgbkdkdk.exe Jmigke32.exe File created C:\Windows\SysWOW64\Jngfei32.exe Jdoblckh.exe File opened for modification C:\Windows\SysWOW64\Lbgmah32.exe Knqnmeff.exe File opened for modification C:\Windows\SysWOW64\Ihfmdm32.exe Hddgkj32.exe File created C:\Windows\SysWOW64\Adioke32.dll Dphmiokb.exe File created C:\Windows\SysWOW64\Lfanfg32.dll Mncijanc.exe File created C:\Windows\SysWOW64\Ajfoea32.exe Afhfpc32.exe File opened for modification C:\Windows\SysWOW64\Cboljemb.exe Cpnchjpa.exe File created C:\Windows\SysWOW64\Fdkfbo32.dll Bimbbhgh.exe File opened for modification C:\Windows\SysWOW64\Ehnmgo32.exe Eadejede.exe File created C:\Windows\SysWOW64\Hcakjgef.dll Edieng32.exe File created C:\Windows\SysWOW64\Gcmgdpid.exe Gmcogf32.exe File opened for modification C:\Windows\SysWOW64\Npdohg32.exe Nlgfbh32.exe File created C:\Windows\SysWOW64\Qabhbm32.dll Gpledf32.exe File created C:\Windows\SysWOW64\Fiqabdlf.dll Lmmcgilj.exe File created C:\Windows\SysWOW64\Cmqmgedi.exe Chdeonfa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3152 2068 WerFault.exe 286 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoiai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epamlegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcaanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflgahfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpbiaqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkggjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjbbbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgienc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqnmeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Condfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhjlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjacai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogipnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbkdkdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdigocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpdej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbhpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onplmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljdcqek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcngkmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqcncnpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdklcebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eadejede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpehje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpccnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipaqqli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaegha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deeeafii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjjofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdeonfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejpfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncijanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkoeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmbilhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejcnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfoikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pconjjql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkjbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmaoq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpnchjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnooj32.dll" Clqjblij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odpeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbeaaiga.dll" Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkoeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlppf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcodfll.dll" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccqedfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbefen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnjal32.dll" Fohacl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inbobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfof32.dll" Ianmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmdpcnm.dll" Ooabjbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnkblgl.dll" Ngikaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpehje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglhbijp.dll" Pconjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkpfjnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liaggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albihnhf.dll" Beibln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enijcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eained32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgfbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcfbhb32.dll" Abhnlqlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjbljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhnlqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epamlegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opliigcq.dll" Klkjbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mllcodig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kigkmmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqcncnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgmfph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onplmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addklpal.dll" Gplgmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohhfn32.dll" Dkohanoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnnj32.dll" Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfekk32.dll" Kbefen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkjbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjkdfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfpofk.dll" Doclijgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbkkbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkgnh32.dll" Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqfeda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neihmpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnjfc32.dll" Lfanep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnhmi32.dll" Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfclji32.dll" Fcehpbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aikkgnnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beibln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namjglek.dll" Hpejcnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkhmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbllfi.dll" Oodejhfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldgkid32.dll" Mnefpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmqmgedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmgdpid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2368 2256 fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe 29 PID 2256 wrote to memory of 2368 2256 fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe 29 PID 2256 wrote to memory of 2368 2256 fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe 29 PID 2256 wrote to memory of 2368 2256 fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe 29 PID 2368 wrote to memory of 2724 2368 Abhnlqlf.exe 30 PID 2368 wrote to memory of 2724 2368 Abhnlqlf.exe 30 PID 2368 wrote to memory of 2724 2368 Abhnlqlf.exe 30 PID 2368 wrote to memory of 2724 2368 Abhnlqlf.exe 30 PID 2724 wrote to memory of 2836 2724 Bbkkbpjc.exe 31 PID 2724 wrote to memory of 2836 2724 Bbkkbpjc.exe 31 PID 2724 wrote to memory of 2836 2724 Bbkkbpjc.exe 31 PID 2724 wrote to memory of 2836 2724 Bbkkbpjc.exe 31 PID 2836 wrote to memory of 2608 2836 Bgichoqj.exe 32 PID 2836 wrote to memory of 2608 2836 Bgichoqj.exe 32 PID 2836 wrote to memory of 2608 2836 Bgichoqj.exe 32 PID 2836 wrote to memory of 2608 2836 Bgichoqj.exe 32 PID 2608 wrote to memory of 2616 2608 Chccfe32.exe 33 PID 2608 wrote to memory of 2616 2608 Chccfe32.exe 33 PID 2608 wrote to memory of 2616 2608 Chccfe32.exe 33 PID 2608 wrote to memory of 2616 2608 Chccfe32.exe 33 PID 2616 wrote to memory of 2652 2616 Cdlppf32.exe 34 PID 2616 wrote to memory of 2652 2616 Cdlppf32.exe 34 PID 2616 wrote to memory of 2652 2616 Cdlppf32.exe 34 PID 2616 wrote to memory of 2652 2616 Cdlppf32.exe 34 PID 2652 wrote to memory of 1940 2652 Cofaad32.exe 35 PID 2652 wrote to memory of 1940 2652 Cofaad32.exe 35 PID 2652 wrote to memory of 1940 2652 Cofaad32.exe 35 PID 2652 wrote to memory of 1940 2652 Cofaad32.exe 35 PID 1940 wrote to memory of 1064 1940 Engnno32.exe 36 PID 1940 wrote to memory of 1064 1940 Engnno32.exe 36 PID 1940 wrote to memory of 1064 1940 Engnno32.exe 36 PID 1940 wrote to memory of 1064 1940 Engnno32.exe 36 PID 1064 wrote to memory of 2920 1064 Enijcn32.exe 37 PID 1064 wrote to memory of 2920 1064 Enijcn32.exe 37 PID 1064 wrote to memory of 2920 1064 Enijcn32.exe 37 PID 1064 wrote to memory of 2920 1064 Enijcn32.exe 37 PID 2920 wrote to memory of 1080 2920 Epamlegl.exe 38 PID 2920 wrote to memory of 1080 2920 Epamlegl.exe 38 PID 2920 wrote to memory of 1080 2920 Epamlegl.exe 38 PID 2920 wrote to memory of 1080 2920 Epamlegl.exe 38 PID 1080 wrote to memory of 1864 1080 Fngjmb32.exe 39 PID 1080 wrote to memory of 1864 1080 Fngjmb32.exe 39 PID 1080 wrote to memory of 1864 1080 Fngjmb32.exe 39 PID 1080 wrote to memory of 1864 1080 Fngjmb32.exe 39 PID 1864 wrote to memory of 2948 1864 Gaoiol32.exe 40 PID 1864 wrote to memory of 2948 1864 Gaoiol32.exe 40 PID 1864 wrote to memory of 2948 1864 Gaoiol32.exe 40 PID 1864 wrote to memory of 2948 1864 Gaoiol32.exe 40 PID 2948 wrote to memory of 1912 2948 Gmhfjm32.exe 41 PID 2948 wrote to memory of 1912 2948 Gmhfjm32.exe 41 PID 2948 wrote to memory of 1912 2948 Gmhfjm32.exe 41 PID 2948 wrote to memory of 1912 2948 Gmhfjm32.exe 41 PID 1912 wrote to memory of 2148 1912 Hkgjge32.exe 42 PID 1912 wrote to memory of 2148 1912 Hkgjge32.exe 42 PID 1912 wrote to memory of 2148 1912 Hkgjge32.exe 42 PID 1912 wrote to memory of 2148 1912 Hkgjge32.exe 42 PID 2148 wrote to memory of 1632 2148 Hddgkj32.exe 43 PID 2148 wrote to memory of 1632 2148 Hddgkj32.exe 43 PID 2148 wrote to memory of 1632 2148 Hddgkj32.exe 43 PID 2148 wrote to memory of 1632 2148 Hddgkj32.exe 43 PID 1632 wrote to memory of 108 1632 Ihfmdm32.exe 44 PID 1632 wrote to memory of 108 1632 Ihfmdm32.exe 44 PID 1632 wrote to memory of 108 1632 Ihfmdm32.exe 44 PID 1632 wrote to memory of 108 1632 Ihfmdm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe"C:\Users\Admin\AppData\Local\Temp\fbdfad1e5ae86e1f3fe7b80a3a18c1b6ec03542f2c6c59f22fc854ab6f0d0b1bN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Bbkkbpjc.exeC:\Windows\system32\Bbkkbpjc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Enijcn32.exeC:\Windows\system32\Enijcn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Hkgjge32.exeC:\Windows\system32\Hkgjge32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Jflfbdqe.exeC:\Windows\system32\Jflfbdqe.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Ncbilimn.exeC:\Windows\system32\Ncbilimn.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Aikine32.exeC:\Windows\system32\Aikine32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe36⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Boohgk32.exeC:\Windows\system32\Boohgk32.exe37⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe41⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Dnkggjpj.exeC:\Windows\system32\Dnkggjpj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Dkohanoc.exeC:\Windows\system32\Dkohanoc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Dpkpie32.exeC:\Windows\system32\Dpkpie32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Dnoqbi32.exeC:\Windows\system32\Dnoqbi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Doqmjaac.exeC:\Windows\system32\Doqmjaac.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Djfagjai.exeC:\Windows\system32\Djfagjai.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Ehnknfdn.exeC:\Windows\system32\Ehnknfdn.exe50⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Eqklhh32.exeC:\Windows\system32\Eqklhh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Edieng32.exeC:\Windows\system32\Edieng32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe55⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ffmnloih.exeC:\Windows\system32\Ffmnloih.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe57⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Fpgpjdnf.exeC:\Windows\system32\Fpgpjdnf.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Fbjeao32.exeC:\Windows\system32\Fbjeao32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Ghjjoeei.exeC:\Windows\system32\Ghjjoeei.exe63⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Gadkmj32.exeC:\Windows\system32\Gadkmj32.exe65⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Gdedoegh.exeC:\Windows\system32\Gdedoegh.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Gpledf32.exeC:\Windows\system32\Gpledf32.exe67⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Hakani32.exeC:\Windows\system32\Hakani32.exe68⤵PID:1476
-
C:\Windows\SysWOW64\Hemggm32.exeC:\Windows\system32\Hemggm32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Hfmcapna.exeC:\Windows\system32\Hfmcapna.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Hpehje32.exeC:\Windows\system32\Hpehje32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Hebqbl32.exeC:\Windows\system32\Hebqbl32.exe72⤵PID:2664
-
C:\Windows\SysWOW64\Hojeka32.exeC:\Windows\system32\Hojeka32.exe73⤵PID:1804
-
C:\Windows\SysWOW64\Iegjnkod.exeC:\Windows\system32\Iegjnkod.exe74⤵PID:1776
-
C:\Windows\SysWOW64\Inbobn32.exeC:\Windows\system32\Inbobn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Icadpd32.exeC:\Windows\system32\Icadpd32.exe76⤵PID:2824
-
C:\Windows\SysWOW64\Iccqedfa.exeC:\Windows\system32\Iccqedfa.exe77⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe78⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Jchjqc32.exeC:\Windows\system32\Jchjqc32.exe79⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Jkcoee32.exeC:\Windows\system32\Jkcoee32.exe80⤵PID:1688
-
C:\Windows\SysWOW64\Jdlcnkfg.exeC:\Windows\system32\Jdlcnkfg.exe81⤵PID:2104
-
C:\Windows\SysWOW64\Jgllof32.exeC:\Windows\system32\Jgllof32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Kkjeedio.exeC:\Windows\system32\Kkjeedio.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Kgaejeoc.exeC:\Windows\system32\Kgaejeoc.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Kchfpf32.exeC:\Windows\system32\Kchfpf32.exe85⤵PID:2900
-
C:\Windows\SysWOW64\Kigkmmql.exeC:\Windows\system32\Kigkmmql.exe86⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Kkhdohnm.exeC:\Windows\system32\Kkhdohnm.exe87⤵PID:2996
-
C:\Windows\SysWOW64\Lkjadh32.exeC:\Windows\system32\Lkjadh32.exe88⤵PID:2176
-
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe89⤵PID:844
-
C:\Windows\SysWOW64\Mmijmn32.exeC:\Windows\system32\Mmijmn32.exe90⤵PID:2092
-
C:\Windows\SysWOW64\Medobp32.exeC:\Windows\system32\Medobp32.exe91⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Mhegckpd.exeC:\Windows\system32\Mhegckpd.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Neihmpon.exeC:\Windows\system32\Neihmpon.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Neldbo32.exeC:\Windows\system32\Neldbo32.exe94⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Nkhmkf32.exeC:\Windows\system32\Nkhmkf32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Nhlndj32.exeC:\Windows\system32\Nhlndj32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe97⤵PID:2772
-
C:\Windows\SysWOW64\Ndekok32.exeC:\Windows\system32\Ndekok32.exe98⤵PID:2220
-
C:\Windows\SysWOW64\Nibcgb32.exeC:\Windows\system32\Nibcgb32.exe99⤵PID:2568
-
C:\Windows\SysWOW64\Ockhpgbf.exeC:\Windows\system32\Ockhpgbf.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Onplmp32.exeC:\Windows\system32\Onplmp32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Oekaab32.exeC:\Windows\system32\Oekaab32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Oodejhfg.exeC:\Windows\system32\Oodejhfg.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Okkfoikl.exeC:\Windows\system32\Okkfoikl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Okmceiii.exeC:\Windows\system32\Okmceiii.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Pokkkgpo.exeC:\Windows\system32\Pokkkgpo.exe106⤵PID:2892
-
C:\Windows\SysWOW64\Pgfpoimj.exeC:\Windows\system32\Pgfpoimj.exe107⤵PID:2488
-
C:\Windows\SysWOW64\Pconjjql.exeC:\Windows\system32\Pconjjql.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Pqcncnpe.exeC:\Windows\system32\Pqcncnpe.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Pgmfph32.exeC:\Windows\system32\Pgmfph32.exe110⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Qohkdkdn.exeC:\Windows\system32\Qohkdkdn.exe111⤵PID:972
-
C:\Windows\SysWOW64\Qbidffao.exeC:\Windows\system32\Qbidffao.exe112⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Akahokho.exeC:\Windows\system32\Akahokho.exe113⤵PID:1868
-
C:\Windows\SysWOW64\Abnmae32.exeC:\Windows\system32\Abnmae32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Abpjgekf.exeC:\Windows\system32\Abpjgekf.exe115⤵PID:2496
-
C:\Windows\SysWOW64\Akhopj32.exeC:\Windows\system32\Akhopj32.exe116⤵PID:2696
-
C:\Windows\SysWOW64\Aaegha32.exeC:\Windows\system32\Aaegha32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Apjdin32.exeC:\Windows\system32\Apjdin32.exe118⤵PID:2228
-
C:\Windows\SysWOW64\Bichbckg.exeC:\Windows\system32\Bichbckg.exe119⤵PID:1700
-
C:\Windows\SysWOW64\Bbkmki32.exeC:\Windows\system32\Bbkmki32.exe120⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Bckidl32.exeC:\Windows\system32\Bckidl32.exe121⤵PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-