Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
-
Size
443KB
-
MD5
fbcc862c4d0857955f2dd4471f221050
-
SHA1
aa2bf96aa25e8e65dc2ca73af5fd8dc352ec0ace
-
SHA256
132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170
-
SHA512
3c9e243c9ba279d05532c64ad05445d3f2073e6dfba9243089a82c128d5f2e3647a9204603de75fa872d55eeb4f301a48aae3a27376899b9f6590d71d250f252
-
SSDEEP
6144:gRUJKSw67+U97zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwsze+:gR5SwWf1J1HJ1Uj+HiPj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehgkgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcfdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekofgnna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndekok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgnpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcaehhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdqlkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glmecbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqdaal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdiigbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnplgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkjji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belfldoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmqckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpknl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooiepnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giljinne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkfdmpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkjjbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcagn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhhphmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaojiqej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofohkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaokhdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpafhpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgknpfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfdnnlbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlngdhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnaaljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdophn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklfqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdefdjnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpcjfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adohpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoikfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfecim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmoone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojeda32.exe -
Executes dropped EXE 64 IoCs
pid Process 2416 Epjbienl.exe 2872 Ekofgnna.exe 2644 Elqcnfdp.exe 2900 Fnplgl32.exe 2640 Fnbhmlkk.exe 2500 Gkchpcoc.exe 1064 Hbpmbndm.exe 2624 Hmnhnk32.exe 1076 Ilfadg32.exe 2908 Ienfml32.exe 2136 Jpomnilc.exe 1068 Jpajdi32.exe 3000 Jlmddi32.exe 2324 Kgknpfdi.exe 2264 Kpeonkig.exe 2508 Lnlmmo32.exe 684 Ljbmbpkb.exe 2412 Lfingaaf.exe 600 Mdeaim32.exe 1460 Mmafmo32.exe 956 Mqoocmcg.exe 2068 Npdkdjhp.exe 2044 Nilpmo32.exe 1716 Nnkekfkd.exe 2824 Oaaghp32.exe 2844 Onehadbj.exe 2752 Oiniaboi.exe 664 Oiqegb32.exe 2208 Ofefqf32.exe 2684 Popkeh32.exe 2680 Pdamhocm.exe 2532 Pogaeg32.exe 2156 Pmlngdhk.exe 2676 Qkbkfh32.exe 1604 Ajghgd32.exe 2520 Aodqok32.exe 1136 Aagfffbo.exe 2988 Akpkok32.exe 2452 Aggkdlod.exe 2184 Bdklnq32.exe 2488 Bbolge32.exe 2456 Bnhjae32.exe 936 Biakbc32.exe 1932 Bcgoolln.exe 1448 Cfekkgla.exe 2600 Cicggcke.exe 2392 Cbllph32.exe 824 Cmapna32.exe 1736 Cfjdfg32.exe 1588 Cgkanomj.exe 1456 Cgmndokg.exe 2172 Ehbcnajn.exe 2968 Edkahbmo.exe 1564 Eaoaafli.exe 388 Fcegdnna.exe 1684 Flmlmc32.exe 2128 Fgcpkldh.exe 2668 Fpkdca32.exe 2820 Ficilgai.exe 832 Fejjah32.exe 2992 Gemfghek.exe 2252 Gnhkkjbf.exe 1452 Ghmohcbl.exe 940 Gddpndhp.exe -
Loads dropped DLL 64 IoCs
pid Process 2716 132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe 2716 132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe 2416 Epjbienl.exe 2416 Epjbienl.exe 2872 Ekofgnna.exe 2872 Ekofgnna.exe 2644 Elqcnfdp.exe 2644 Elqcnfdp.exe 2900 Fnplgl32.exe 2900 Fnplgl32.exe 2640 Fnbhmlkk.exe 2640 Fnbhmlkk.exe 2500 Gkchpcoc.exe 2500 Gkchpcoc.exe 1064 Hbpmbndm.exe 1064 Hbpmbndm.exe 2624 Hmnhnk32.exe 2624 Hmnhnk32.exe 1076 Ilfadg32.exe 1076 Ilfadg32.exe 2908 Ienfml32.exe 2908 Ienfml32.exe 2136 Jpomnilc.exe 2136 Jpomnilc.exe 1068 Jpajdi32.exe 1068 Jpajdi32.exe 3000 Jlmddi32.exe 3000 Jlmddi32.exe 2324 Kgknpfdi.exe 2324 Kgknpfdi.exe 2264 Kpeonkig.exe 2264 Kpeonkig.exe 2508 Lnlmmo32.exe 2508 Lnlmmo32.exe 684 Ljbmbpkb.exe 684 Ljbmbpkb.exe 2412 Lfingaaf.exe 2412 Lfingaaf.exe 600 Mdeaim32.exe 600 Mdeaim32.exe 1460 Mmafmo32.exe 1460 Mmafmo32.exe 956 Mqoocmcg.exe 956 Mqoocmcg.exe 2068 Npdkdjhp.exe 2068 Npdkdjhp.exe 2044 Nilpmo32.exe 2044 Nilpmo32.exe 1716 Nnkekfkd.exe 1716 Nnkekfkd.exe 2824 Oaaghp32.exe 2824 Oaaghp32.exe 2844 Onehadbj.exe 2844 Onehadbj.exe 2752 Oiniaboi.exe 2752 Oiniaboi.exe 664 Oiqegb32.exe 664 Oiqegb32.exe 2208 Ofefqf32.exe 2208 Ofefqf32.exe 2684 Popkeh32.exe 2684 Popkeh32.exe 2680 Pdamhocm.exe 2680 Pdamhocm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Panpgn32.exe Pdjpmi32.exe File opened for modification C:\Windows\SysWOW64\Fianpp32.exe Fjlaod32.exe File created C:\Windows\SysWOW64\Abgbihnk.dll Kebgea32.exe File created C:\Windows\SysWOW64\Enijcn32.exe Edafjiqe.exe File created C:\Windows\SysWOW64\Oeidlc32.exe Odhhdk32.exe File created C:\Windows\SysWOW64\Lkaccp32.dll Hbpmbndm.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Pdamhocm.exe File created C:\Windows\SysWOW64\Kieocoid.dll Medligko.exe File created C:\Windows\SysWOW64\Nlkgdg32.dll Pqlfjfni.exe File created C:\Windows\SysWOW64\Nagielfp.dll Fknido32.exe File opened for modification C:\Windows\SysWOW64\Nfeljlqh.exe Ndfppije.exe File created C:\Windows\SysWOW64\Dqiakm32.exe Dklibf32.exe File created C:\Windows\SysWOW64\Bnbgab32.dll Fpoleilj.exe File created C:\Windows\SysWOW64\Afjplj32.exe Afhcgjkq.exe File created C:\Windows\SysWOW64\Mqnihf32.dll Aaqnmbdd.exe File created C:\Windows\SysWOW64\Kfioaaah.exe Koogdg32.exe File opened for modification C:\Windows\SysWOW64\Ljhppo32.exe Lcnhcdkp.exe File opened for modification C:\Windows\SysWOW64\Nkbdbbop.exe Nfeljlqh.exe File created C:\Windows\SysWOW64\Egbffj32.exe Emieflec.exe File opened for modification C:\Windows\SysWOW64\Lehfcc32.exe Liaenblm.exe File opened for modification C:\Windows\SysWOW64\Ahpfoa32.exe Aikine32.exe File created C:\Windows\SysWOW64\Dlomfh32.dll Hlebog32.exe File created C:\Windows\SysWOW64\Ohqbbi32.exe Nkjeod32.exe File created C:\Windows\SysWOW64\Agmacgcc.exe Akfaof32.exe File created C:\Windows\SysWOW64\Glbcpokl.exe Gpkckneh.exe File created C:\Windows\SysWOW64\Mqoocmcg.exe Mmafmo32.exe File created C:\Windows\SysWOW64\Nhejknlm.dll Gjcekj32.exe File opened for modification C:\Windows\SysWOW64\Kkpekjie.exe Kmjhjndm.exe File opened for modification C:\Windows\SysWOW64\Dhknigfq.exe Dhiacg32.exe File created C:\Windows\SysWOW64\Mdeaim32.exe Lfingaaf.exe File created C:\Windows\SysWOW64\Babbpc32.exe Bapejd32.exe File opened for modification C:\Windows\SysWOW64\Glmecbbj.exe Gpfeoqmf.exe File created C:\Windows\SysWOW64\Gdnlhg32.dll Elqcnfdp.exe File created C:\Windows\SysWOW64\Gcimop32.exe Glpdbfek.exe File opened for modification C:\Windows\SysWOW64\Iecaad32.exe Ikkmho32.exe File opened for modification C:\Windows\SysWOW64\Qfdnnlbc.exe Qpjeaa32.exe File opened for modification C:\Windows\SysWOW64\Oqaliabh.exe Okecak32.exe File created C:\Windows\SysWOW64\Ighfecdb.exe Iaknmm32.exe File opened for modification C:\Windows\SysWOW64\Qibhao32.exe Qpjchicb.exe File opened for modification C:\Windows\SysWOW64\Hacoio32.exe Hdonpjbi.exe File created C:\Windows\SysWOW64\Kcclni32.dll Onelbfab.exe File opened for modification C:\Windows\SysWOW64\Mcoioi32.exe Lfkhed32.exe File created C:\Windows\SysWOW64\Diqabd32.exe Dokmel32.exe File created C:\Windows\SysWOW64\Gadllf32.dll Dbidof32.exe File created C:\Windows\SysWOW64\Dcijmhdj.exe Dmobpn32.exe File created C:\Windows\SysWOW64\Ikfffh32.exe Ihfmdm32.exe File created C:\Windows\SysWOW64\Nldgdpjf.exe Mggoli32.exe File created C:\Windows\SysWOW64\Qcdgei32.exe Pjlbld32.exe File created C:\Windows\SysWOW64\Npaeak32.dll Qamleagn.exe File opened for modification C:\Windows\SysWOW64\Hhjhgpcn.exe Ghaeaaki.exe File created C:\Windows\SysWOW64\Lbgkhoml.exe Lkkfdmpq.exe File created C:\Windows\SysWOW64\Ccgahe32.exe Bnjipn32.exe File created C:\Windows\SysWOW64\Ofcebj32.dll Gbdobc32.exe File created C:\Windows\SysWOW64\Bbcjfn32.exe Bkheal32.exe File opened for modification C:\Windows\SysWOW64\Gpknjp32.exe Gbgnpl32.exe File created C:\Windows\SysWOW64\Fkafkl32.dll Kdincdcl.exe File created C:\Windows\SysWOW64\Apllml32.exe Achlch32.exe File opened for modification C:\Windows\SysWOW64\Cmjoaofc.exe Cofohkgi.exe File created C:\Windows\SysWOW64\Defbjb32.dll Dddodd32.exe File created C:\Windows\SysWOW64\Pgkjji32.exe Pnbeacbd.exe File created C:\Windows\SysWOW64\Gbecal32.dll Aghidl32.exe File created C:\Windows\SysWOW64\Jpnfdbig.exe Jplinckj.exe File created C:\Windows\SysWOW64\Ahpfoa32.exe Aikine32.exe File created C:\Windows\SysWOW64\Aahqpjlb.dll Mkbhco32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 284 3320 WerFault.exe 632 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaojiqej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpekggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekofgnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlenm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaagnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodqok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaegha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmecbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkchpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmdjmpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekncjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjomlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfioaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgkkfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnmjokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjqpcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejbhbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgljfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onelbfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognobcqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiefqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqiakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegdinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanpmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkalph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adohpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckopch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmoidh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmacgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjbjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdqlkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmfiefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncdgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbooen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbblpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babdhlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmhnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogqlgbi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kffblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmial32.dll" Ngonpgqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfobjdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbcjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmqom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmcfdjn.dll" Lknbjlnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqlfjfni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaegha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbllph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgogqmha.dll" Ficilgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Denglpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcdgei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belfldoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpafhpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeijmg32.dll" Ojlmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjbpaea.dll" Hggeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdophn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmoone32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffcdlncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaqnmbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofednkl.dll" Bhgaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbidof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Makmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfcabeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdfgd32.dll" Fnbhmlkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbanlfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhaobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbcmaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcpcnqpo.dll" Lanpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mliibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micnbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaokhdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epjbienl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefeaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhgjjgoq.dll" Hlijan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpekjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjadh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ienfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oafclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halhkamm.dll" Enliaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefeaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdincdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agonig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbjnb32.dll" Ifndph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkfco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbodpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjckcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjodqe32.dll" Mooppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhhdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhlgnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnimeg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2416 2716 132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe 29 PID 2716 wrote to memory of 2416 2716 132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe 29 PID 2716 wrote to memory of 2416 2716 132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe 29 PID 2716 wrote to memory of 2416 2716 132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe 29 PID 2416 wrote to memory of 2872 2416 Epjbienl.exe 30 PID 2416 wrote to memory of 2872 2416 Epjbienl.exe 30 PID 2416 wrote to memory of 2872 2416 Epjbienl.exe 30 PID 2416 wrote to memory of 2872 2416 Epjbienl.exe 30 PID 2872 wrote to memory of 2644 2872 Ekofgnna.exe 31 PID 2872 wrote to memory of 2644 2872 Ekofgnna.exe 31 PID 2872 wrote to memory of 2644 2872 Ekofgnna.exe 31 PID 2872 wrote to memory of 2644 2872 Ekofgnna.exe 31 PID 2644 wrote to memory of 2900 2644 Elqcnfdp.exe 32 PID 2644 wrote to memory of 2900 2644 Elqcnfdp.exe 32 PID 2644 wrote to memory of 2900 2644 Elqcnfdp.exe 32 PID 2644 wrote to memory of 2900 2644 Elqcnfdp.exe 32 PID 2900 wrote to memory of 2640 2900 Fnplgl32.exe 33 PID 2900 wrote to memory of 2640 2900 Fnplgl32.exe 33 PID 2900 wrote to memory of 2640 2900 Fnplgl32.exe 33 PID 2900 wrote to memory of 2640 2900 Fnplgl32.exe 33 PID 2640 wrote to memory of 2500 2640 Fnbhmlkk.exe 34 PID 2640 wrote to memory of 2500 2640 Fnbhmlkk.exe 34 PID 2640 wrote to memory of 2500 2640 Fnbhmlkk.exe 34 PID 2640 wrote to memory of 2500 2640 Fnbhmlkk.exe 34 PID 2500 wrote to memory of 1064 2500 Gkchpcoc.exe 35 PID 2500 wrote to memory of 1064 2500 Gkchpcoc.exe 35 PID 2500 wrote to memory of 1064 2500 Gkchpcoc.exe 35 PID 2500 wrote to memory of 1064 2500 Gkchpcoc.exe 35 PID 1064 wrote to memory of 2624 1064 Hbpmbndm.exe 36 PID 1064 wrote to memory of 2624 1064 Hbpmbndm.exe 36 PID 1064 wrote to memory of 2624 1064 Hbpmbndm.exe 36 PID 1064 wrote to memory of 2624 1064 Hbpmbndm.exe 36 PID 2624 wrote to memory of 1076 2624 Hmnhnk32.exe 37 PID 2624 wrote to memory of 1076 2624 Hmnhnk32.exe 37 PID 2624 wrote to memory of 1076 2624 Hmnhnk32.exe 37 PID 2624 wrote to memory of 1076 2624 Hmnhnk32.exe 37 PID 1076 wrote to memory of 2908 1076 Ilfadg32.exe 38 PID 1076 wrote to memory of 2908 1076 Ilfadg32.exe 38 PID 1076 wrote to memory of 2908 1076 Ilfadg32.exe 38 PID 1076 wrote to memory of 2908 1076 Ilfadg32.exe 38 PID 2908 wrote to memory of 2136 2908 Ienfml32.exe 39 PID 2908 wrote to memory of 2136 2908 Ienfml32.exe 39 PID 2908 wrote to memory of 2136 2908 Ienfml32.exe 39 PID 2908 wrote to memory of 2136 2908 Ienfml32.exe 39 PID 2136 wrote to memory of 1068 2136 Jpomnilc.exe 40 PID 2136 wrote to memory of 1068 2136 Jpomnilc.exe 40 PID 2136 wrote to memory of 1068 2136 Jpomnilc.exe 40 PID 2136 wrote to memory of 1068 2136 Jpomnilc.exe 40 PID 1068 wrote to memory of 3000 1068 Jpajdi32.exe 41 PID 1068 wrote to memory of 3000 1068 Jpajdi32.exe 41 PID 1068 wrote to memory of 3000 1068 Jpajdi32.exe 41 PID 1068 wrote to memory of 3000 1068 Jpajdi32.exe 41 PID 3000 wrote to memory of 2324 3000 Jlmddi32.exe 42 PID 3000 wrote to memory of 2324 3000 Jlmddi32.exe 42 PID 3000 wrote to memory of 2324 3000 Jlmddi32.exe 42 PID 3000 wrote to memory of 2324 3000 Jlmddi32.exe 42 PID 2324 wrote to memory of 2264 2324 Kgknpfdi.exe 43 PID 2324 wrote to memory of 2264 2324 Kgknpfdi.exe 43 PID 2324 wrote to memory of 2264 2324 Kgknpfdi.exe 43 PID 2324 wrote to memory of 2264 2324 Kgknpfdi.exe 43 PID 2264 wrote to memory of 2508 2264 Kpeonkig.exe 44 PID 2264 wrote to memory of 2508 2264 Kpeonkig.exe 44 PID 2264 wrote to memory of 2508 2264 Kpeonkig.exe 44 PID 2264 wrote to memory of 2508 2264 Kpeonkig.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe"C:\Users\Admin\AppData\Local\Temp\132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Fnplgl32.exeC:\Windows\system32\Fnplgl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe33⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe35⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe36⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe38⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe39⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe40⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe42⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe44⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe45⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe46⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe47⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe49⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe50⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe51⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe52⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe53⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe54⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe55⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe56⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe57⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe58⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe59⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Gemfghek.exeC:\Windows\system32\Gemfghek.exe62⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe63⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe65⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe66⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe69⤵PID:436
-
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe70⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Hbafel32.exeC:\Windows\system32\Hbafel32.exe71⤵PID:1192
-
C:\Windows\SysWOW64\Hbccklmj.exeC:\Windows\system32\Hbccklmj.exe72⤵PID:1964
-
C:\Windows\SysWOW64\Hklhca32.exeC:\Windows\system32\Hklhca32.exe73⤵PID:2656
-
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe74⤵PID:856
-
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe75⤵PID:2120
-
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe76⤵PID:968
-
C:\Windows\SysWOW64\Hkpaoape.exeC:\Windows\system32\Hkpaoape.exe77⤵PID:1992
-
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe78⤵PID:1080
-
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe79⤵PID:2232
-
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe80⤵PID:2276
-
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe82⤵PID:2328
-
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe83⤵PID:760
-
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe84⤵PID:1472
-
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe85⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe86⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe87⤵PID:2180
-
C:\Windows\SysWOW64\Jaoblk32.exeC:\Windows\system32\Jaoblk32.exe88⤵PID:2924
-
C:\Windows\SysWOW64\Jbooen32.exeC:\Windows\system32\Jbooen32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe90⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe91⤵PID:2836
-
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe93⤵PID:3056
-
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe94⤵PID:1608
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe95⤵PID:1696
-
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe97⤵PID:1712
-
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe98⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe99⤵PID:2200
-
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe100⤵PID:2284
-
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe101⤵PID:1812
-
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe103⤵PID:112
-
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe104⤵PID:2604
-
C:\Windows\SysWOW64\Lpnobi32.exeC:\Windows\system32\Lpnobi32.exe105⤵PID:3064
-
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe106⤵PID:888
-
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe108⤵PID:944
-
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe109⤵PID:2864
-
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe110⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe111⤵PID:2972
-
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe112⤵PID:928
-
C:\Windows\SysWOW64\Mjofanld.exeC:\Windows\system32\Mjofanld.exe113⤵PID:2808
-
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Mffgfo32.exeC:\Windows\system32\Mffgfo32.exe115⤵PID:1148
-
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe116⤵PID:2444
-
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe117⤵PID:964
-
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe118⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Nkhhie32.exeC:\Windows\system32\Nkhhie32.exe119⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-