Analysis
-
max time kernel
48s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 13:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe
-
Size
80KB
-
MD5
343b6fc3354222ec58fea709642c8cf0
-
SHA1
b4d70f982d4c566eb3fd6bf9dcbadf07ca500afc
-
SHA256
00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0
-
SHA512
30be740c7506a03967573bcd308b3ff705cf9ee450d03176f7150006a054edb305451633ec3f3a43ccaa3531958b1b9cedf7caf19e546c5be7f76367491c2613
-
SSDEEP
1536:4Rf3RSMSfoRgmT9L6YY3sPCfkRyPGX5YMkhohBE8VGh:KPRzSQthGYfPCiyPAUAEQGh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfebnoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnifja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecploipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebnlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkegah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlgmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphmloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiekpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcqnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjccf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcnghpl.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 Hfbaql32.exe 1952 Hbiaemkk.exe 2752 Hibjbgbh.exe 2760 Hbknkl32.exe 2768 Hdlkcdog.exe 1724 Hapklimq.exe 2660 Hndlem32.exe 2184 Ihmpobck.exe 2964 Imiigiab.exe 1752 Ifampo32.exe 328 Iipiljgf.exe 1128 Ilofhffj.exe 892 Iegjqk32.exe 2204 Ioooiack.exe 1956 Iiecgjba.exe 1036 Iapgkl32.exe 1140 Jhjphfgi.exe 1356 Jbpdeogo.exe 856 Jdaqmg32.exe 1776 Jkkija32.exe 1788 Jniefm32.exe 844 Joiappkp.exe 2000 Jnkakl32.exe 1868 Jaijak32.exe 1948 Jdhgnf32.exe 2076 Jpogbgmi.exe 2364 Kdjccf32.exe 2800 Kjglkm32.exe 2836 Kpadhg32.exe 2636 Kpcqnf32.exe 2720 Kofaicon.exe 2728 Kljabgnh.exe 2916 Kohnoc32.exe 2168 Khabghdl.exe 2676 Kokjdb32.exe 1612 Kdhcli32.exe 312 Lblcfnhj.exe 1160 Ldjpbign.exe 2152 Lkdhoc32.exe 2560 Lkfddc32.exe 2052 Lmgalkcf.exe 2580 Lcaiiejc.exe 1596 Lfpeeqig.exe 908 Lgoboc32.exe 2524 Ljnnko32.exe 1040 Lmljgj32.exe 1756 Lqhfhigj.exe 1236 Lcfbdd32.exe 1992 Lcfbdd32.exe 2196 Mfdopp32.exe 2280 Mkaghg32.exe 2896 Mpmcielb.exe 2796 Mchoid32.exe 2664 Mejlalji.exe 2512 Mmadbjkk.exe 1156 Mkddnf32.exe 2960 Mbnljqic.exe 1488 Mfihkoal.exe 2064 Mihdgkpp.exe 992 Mgjebg32.exe 2108 Mpamde32.exe 3000 Mbpipp32.exe 2992 Macilmnk.exe 2396 Meoell32.exe -
Loads dropped DLL 64 IoCs
pid Process 1296 00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe 1296 00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe 2972 Hfbaql32.exe 2972 Hfbaql32.exe 1952 Hbiaemkk.exe 1952 Hbiaemkk.exe 2752 Hibjbgbh.exe 2752 Hibjbgbh.exe 2760 Hbknkl32.exe 2760 Hbknkl32.exe 2768 Hdlkcdog.exe 2768 Hdlkcdog.exe 1724 Hapklimq.exe 1724 Hapklimq.exe 2660 Hndlem32.exe 2660 Hndlem32.exe 2184 Ihmpobck.exe 2184 Ihmpobck.exe 2964 Imiigiab.exe 2964 Imiigiab.exe 1752 Ifampo32.exe 1752 Ifampo32.exe 328 Iipiljgf.exe 328 Iipiljgf.exe 1128 Ilofhffj.exe 1128 Ilofhffj.exe 892 Iegjqk32.exe 892 Iegjqk32.exe 2204 Ioooiack.exe 2204 Ioooiack.exe 1956 Iiecgjba.exe 1956 Iiecgjba.exe 1036 Iapgkl32.exe 1036 Iapgkl32.exe 1140 Jhjphfgi.exe 1140 Jhjphfgi.exe 1356 Jbpdeogo.exe 1356 Jbpdeogo.exe 856 Jdaqmg32.exe 856 Jdaqmg32.exe 1776 Jkkija32.exe 1776 Jkkija32.exe 1788 Jniefm32.exe 1788 Jniefm32.exe 844 Joiappkp.exe 844 Joiappkp.exe 2000 Jnkakl32.exe 2000 Jnkakl32.exe 1868 Jaijak32.exe 1868 Jaijak32.exe 1948 Jdhgnf32.exe 1948 Jdhgnf32.exe 2076 Jpogbgmi.exe 2076 Jpogbgmi.exe 2364 Kdjccf32.exe 2364 Kdjccf32.exe 2800 Kjglkm32.exe 2800 Kjglkm32.exe 2836 Kpadhg32.exe 2836 Kpadhg32.exe 2636 Kpcqnf32.exe 2636 Kpcqnf32.exe 2720 Kofaicon.exe 2720 Kofaicon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnoglhlh.dll Ncfoch32.exe File opened for modification C:\Windows\SysWOW64\Bgblmk32.exe Bnihdemo.exe File created C:\Windows\SysWOW64\Iheegf32.dll Mkndhabp.exe File created C:\Windows\SysWOW64\Liempneg.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Dqaegjop.dll Akfkbd32.exe File opened for modification C:\Windows\SysWOW64\Bbmcibjp.exe Bqlfaj32.exe File created C:\Windows\SysWOW64\Nhdhif32.exe Najpll32.exe File created C:\Windows\SysWOW64\Ifgpnmom.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Nlnpgd32.exe Nipdkieg.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Paiaplin.exe File created C:\Windows\SysWOW64\Oagoep32.exe Ooicid32.exe File created C:\Windows\SysWOW64\Flnlpo32.dll Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cocphf32.exe File opened for modification C:\Windows\SysWOW64\Edibhmml.exe Dmojkc32.exe File created C:\Windows\SysWOW64\Ofehob32.dll Ehmdgp32.exe File created C:\Windows\SysWOW64\Mcjdhh32.dll Fkecij32.exe File created C:\Windows\SysWOW64\Gfcnegnk.exe Gceailog.exe File opened for modification C:\Windows\SysWOW64\Mkaghg32.exe Mfdopp32.exe File created C:\Windows\SysWOW64\Mbpipp32.exe Mpamde32.exe File created C:\Windows\SysWOW64\Npolmh32.exe Nallalep.exe File created C:\Windows\SysWOW64\Bnqned32.exe Bjebdfnn.exe File created C:\Windows\SysWOW64\Kmhflfhh.dll Kkjnnn32.exe File created C:\Windows\SysWOW64\Klngkfge.exe Knkgpi32.exe File created C:\Windows\SysWOW64\Dofhhgce.dll Lnjcomcf.exe File created C:\Windows\SysWOW64\Adfqgl32.exe Aqjdgmgd.exe File opened for modification C:\Windows\SysWOW64\Eldglp32.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Jhbcjo32.dll Pleofj32.exe File created C:\Windows\SysWOW64\Nmnaak32.dll Kjglkm32.exe File created C:\Windows\SysWOW64\Pdmnam32.exe Popeif32.exe File created C:\Windows\SysWOW64\Agdmdg32.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Bngpjpqe.dll Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Ncfoch32.exe Necogkbo.exe File created C:\Windows\SysWOW64\Nmqpam32.exe Nfghdcfj.exe File opened for modification C:\Windows\SysWOW64\Npolmh32.exe Nallalep.exe File created C:\Windows\SysWOW64\Gonocmbi.exe Gmpcgace.exe File opened for modification C:\Windows\SysWOW64\Hmmbqegc.exe Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Iimfld32.exe Iafnjg32.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Gigqol32.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Lmljgj32.exe Ljnnko32.exe File opened for modification C:\Windows\SysWOW64\Okpcoe32.exe Oioggmmc.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Mfnnbf32.dll Fqalaa32.exe File created C:\Windows\SysWOW64\Legdph32.dll Ldbofgme.exe File created C:\Windows\SysWOW64\Bbmcibjp.exe Bqlfaj32.exe File created C:\Windows\SysWOW64\Lpnmgdli.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Giddhc32.dll Ojmpooah.exe File created C:\Windows\SysWOW64\Lpkadj32.dll Mmadbjkk.exe File created C:\Windows\SysWOW64\Npaich32.exe Nigafnck.exe File created C:\Windows\SysWOW64\Dblifk32.dll Anlhkbhq.exe File opened for modification C:\Windows\SysWOW64\Jbqmhnbo.exe Jdnmma32.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Iimfld32.exe File created C:\Windows\SysWOW64\Npbdcgjh.dll Nhgnaehm.exe File opened for modification C:\Windows\SysWOW64\Qdlggg32.exe Pleofj32.exe File created C:\Windows\SysWOW64\Flbkkpfc.dll Hdlkcdog.exe File created C:\Windows\SysWOW64\Jondii32.dll Khabghdl.exe File opened for modification C:\Windows\SysWOW64\Okgjodmi.exe Ohhmcinf.exe File created C:\Windows\SysWOW64\Cdfddadf.dll Eobchk32.exe File opened for modification C:\Windows\SysWOW64\Joiappkp.exe Jniefm32.exe File created C:\Windows\SysWOW64\Qngopb32.exe Qdojgmfe.exe File opened for modification C:\Windows\SysWOW64\Dgbeiiqe.exe Dddimn32.exe File created C:\Windows\SysWOW64\Aldhcb32.dll Qlgkki32.exe File opened for modification C:\Windows\SysWOW64\Nlnpgd32.exe Nipdkieg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5644 5588 WerFault.exe 510 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgkii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokjdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmpblnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaqmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdiga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiigiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkcpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkddnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khielcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgoboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpdaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifampo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnoijbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkndhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfmllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmfmlen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhipb32.dll" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmljgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnge32.dll" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfeei32.dll" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppgpfpi.dll" Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloiniaa.dll" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mejlalji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfokinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnmlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcikef32.dll" Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpecqda.dll" Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgnpgja.dll" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomhdbkn.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjjaebl.dll" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpjhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oigemnhm.dll" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbnfb32.dll" Qhmcmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mggabaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opihgfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnidcen.dll" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknbpmpk.dll" Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alenfc32.dll" Nhdhif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaijflc.dll" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" Kdpfadlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplaplgi.dll" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhlga32.dll" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qklpempi.dll" Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkejjlpp.dll" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjoli32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 2972 1296 00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe 30 PID 1296 wrote to memory of 2972 1296 00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe 30 PID 1296 wrote to memory of 2972 1296 00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe 30 PID 1296 wrote to memory of 2972 1296 00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe 30 PID 2972 wrote to memory of 1952 2972 Hfbaql32.exe 31 PID 2972 wrote to memory of 1952 2972 Hfbaql32.exe 31 PID 2972 wrote to memory of 1952 2972 Hfbaql32.exe 31 PID 2972 wrote to memory of 1952 2972 Hfbaql32.exe 31 PID 1952 wrote to memory of 2752 1952 Hbiaemkk.exe 32 PID 1952 wrote to memory of 2752 1952 Hbiaemkk.exe 32 PID 1952 wrote to memory of 2752 1952 Hbiaemkk.exe 32 PID 1952 wrote to memory of 2752 1952 Hbiaemkk.exe 32 PID 2752 wrote to memory of 2760 2752 Hibjbgbh.exe 33 PID 2752 wrote to memory of 2760 2752 Hibjbgbh.exe 33 PID 2752 wrote to memory of 2760 2752 Hibjbgbh.exe 33 PID 2752 wrote to memory of 2760 2752 Hibjbgbh.exe 33 PID 2760 wrote to memory of 2768 2760 Hbknkl32.exe 34 PID 2760 wrote to memory of 2768 2760 Hbknkl32.exe 34 PID 2760 wrote to memory of 2768 2760 Hbknkl32.exe 34 PID 2760 wrote to memory of 2768 2760 Hbknkl32.exe 34 PID 2768 wrote to memory of 1724 2768 Hdlkcdog.exe 35 PID 2768 wrote to memory of 1724 2768 Hdlkcdog.exe 35 PID 2768 wrote to memory of 1724 2768 Hdlkcdog.exe 35 PID 2768 wrote to memory of 1724 2768 Hdlkcdog.exe 35 PID 1724 wrote to memory of 2660 1724 Hapklimq.exe 36 PID 1724 wrote to memory of 2660 1724 Hapklimq.exe 36 PID 1724 wrote to memory of 2660 1724 Hapklimq.exe 36 PID 1724 wrote to memory of 2660 1724 Hapklimq.exe 36 PID 2660 wrote to memory of 2184 2660 Hndlem32.exe 37 PID 2660 wrote to memory of 2184 2660 Hndlem32.exe 37 PID 2660 wrote to memory of 2184 2660 Hndlem32.exe 37 PID 2660 wrote to memory of 2184 2660 Hndlem32.exe 37 PID 2184 wrote to memory of 2964 2184 Ihmpobck.exe 38 PID 2184 wrote to memory of 2964 2184 Ihmpobck.exe 38 PID 2184 wrote to memory of 2964 2184 Ihmpobck.exe 38 PID 2184 wrote to memory of 2964 2184 Ihmpobck.exe 38 PID 2964 wrote to memory of 1752 2964 Imiigiab.exe 39 PID 2964 wrote to memory of 1752 2964 Imiigiab.exe 39 PID 2964 wrote to memory of 1752 2964 Imiigiab.exe 39 PID 2964 wrote to memory of 1752 2964 Imiigiab.exe 39 PID 1752 wrote to memory of 328 1752 Ifampo32.exe 40 PID 1752 wrote to memory of 328 1752 Ifampo32.exe 40 PID 1752 wrote to memory of 328 1752 Ifampo32.exe 40 PID 1752 wrote to memory of 328 1752 Ifampo32.exe 40 PID 328 wrote to memory of 1128 328 Iipiljgf.exe 41 PID 328 wrote to memory of 1128 328 Iipiljgf.exe 41 PID 328 wrote to memory of 1128 328 Iipiljgf.exe 41 PID 328 wrote to memory of 1128 328 Iipiljgf.exe 41 PID 1128 wrote to memory of 892 1128 Ilofhffj.exe 42 PID 1128 wrote to memory of 892 1128 Ilofhffj.exe 42 PID 1128 wrote to memory of 892 1128 Ilofhffj.exe 42 PID 1128 wrote to memory of 892 1128 Ilofhffj.exe 42 PID 892 wrote to memory of 2204 892 Iegjqk32.exe 43 PID 892 wrote to memory of 2204 892 Iegjqk32.exe 43 PID 892 wrote to memory of 2204 892 Iegjqk32.exe 43 PID 892 wrote to memory of 2204 892 Iegjqk32.exe 43 PID 2204 wrote to memory of 1956 2204 Ioooiack.exe 44 PID 2204 wrote to memory of 1956 2204 Ioooiack.exe 44 PID 2204 wrote to memory of 1956 2204 Ioooiack.exe 44 PID 2204 wrote to memory of 1956 2204 Ioooiack.exe 44 PID 1956 wrote to memory of 1036 1956 Iiecgjba.exe 45 PID 1956 wrote to memory of 1036 1956 Iiecgjba.exe 45 PID 1956 wrote to memory of 1036 1956 Iiecgjba.exe 45 PID 1956 wrote to memory of 1036 1956 Iiecgjba.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe"C:\Users\Admin\AppData\Local\Temp\00a48e09aeb337d8cbbfa18eb984125bf41a9dea6d20f8f742c71b7c09f046b0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe33⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe34⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe38⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe39⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe40⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe41⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe42⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe43⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe48⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe50⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe52⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe53⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe54⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe58⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe59⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe60⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe61⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe63⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe64⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe65⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe67⤵PID:1680
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe68⤵PID:2256
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe69⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe71⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe72⤵PID:2612
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe74⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe76⤵PID:1608
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe77⤵PID:1704
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe78⤵
- System Location Discovery: System Language Discovery
PID:360 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe79⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe80⤵
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe82⤵PID:1536
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe83⤵
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe84⤵PID:1572
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe85⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe86⤵PID:2788
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe88⤵PID:2696
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe89⤵PID:2608
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe90⤵PID:2952
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe91⤵PID:2596
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe92⤵PID:2784
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe93⤵PID:2416
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe94⤵PID:2324
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe96⤵PID:1816
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe97⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe98⤵PID:1692
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe99⤵PID:2860
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe100⤵PID:2852
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe101⤵PID:2300
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe103⤵PID:2668
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe104⤵PID:1732
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe107⤵PID:1124
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe109⤵PID:816
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe110⤵PID:2008
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe111⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe112⤵PID:2712
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe113⤵PID:2948
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe114⤵PID:2856
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe115⤵PID:2908
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe117⤵PID:2228
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe118⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe119⤵PID:640
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe120⤵PID:2332
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe121⤵PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-