Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe
-
Size
89KB
-
MD5
f499992aa2cc29dd587df2ef1adb4d90
-
SHA1
738f9551f48ec562000228f7fa122bd9d30e18f6
-
SHA256
1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736c
-
SHA512
2538e3695c71631240410bad70bf92b81729d41c1df6fba569f0d4b39fe5a53b392cffc3515b130c2c07f2e8e451b2913876ee2795122710734a55ccee8027e0
-
SSDEEP
1536:+IJFoZs1D7f6cCf2y9hGds7eOU0ETiYmr0Igz39PF1GHRdgUvYfFcNlExkg8Fk:uZshj6cCOqh7eOU0ETiYmr0IO39qHf9K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoblnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fooembgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oioipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glklejoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpglecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjqgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdgdmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnglnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljpjchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlfdac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agpeaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibhicbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lghgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjifodii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe -
Executes dropped EXE 64 IoCs
pid Process 1820 Khkbbc32.exe 2216 Kgnbnpkp.exe 2244 Knhjjj32.exe 2828 Kadfkhkf.exe 2788 Kjokokha.exe 2652 Kcgphp32.exe 2636 Kffldlne.exe 2684 Kpkpadnl.exe 836 Lcjlnpmo.exe 2380 Lhfefgkg.exe 2908 Lpnmgdli.exe 2588 Lhiakf32.exe 1596 Lkgngb32.exe 2180 Ldpbpgoh.exe 2564 Llgjaeoj.exe 2428 Lkjjma32.exe 2164 Lfoojj32.exe 1560 Lhnkffeo.exe 2304 Lklgbadb.exe 1744 Lqipkhbj.exe 1544 Lhpglecl.exe 2312 Mdghaf32.exe 2424 Mcjhmcok.exe 1408 Mqnifg32.exe 760 Mdiefffn.exe 2812 Mnaiol32.exe 2492 Mobfgdcl.exe 2760 Mjhjdm32.exe 2632 Mmgfqh32.exe 2796 Mjkgjl32.exe 2740 Mimgeigj.exe 1900 Nfahomfd.exe 2028 Nedhjj32.exe 1680 Npjlhcmd.exe 2016 Nefdpjkl.exe 1664 Nibqqh32.exe 2544 Nnoiio32.exe 1180 Nbjeinje.exe 808 Nlcibc32.exe 2484 Njfjnpgp.exe 1924 Napbjjom.exe 2572 Nlefhcnc.exe 1768 Njhfcp32.exe 276 Nenkqi32.exe 1572 Nhlgmd32.exe 2440 Onfoin32.exe 1284 Omioekbo.exe 580 Opglafab.exe 1656 Ohncbdbd.exe 2776 Ofadnq32.exe 2744 Ojmpooah.exe 2624 Omklkkpl.exe 1252 Oaghki32.exe 1220 Odedge32.exe 1052 Obhdcanc.exe 1892 Ojomdoof.exe 2036 Oplelf32.exe 1660 Objaha32.exe 2556 Oidiekdn.exe 2664 Olbfagca.exe 1764 Ooabmbbe.exe 1456 Ofhjopbg.exe 2284 Oiffkkbk.exe 1908 Ohiffh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2136 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe 2136 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe 1820 Khkbbc32.exe 1820 Khkbbc32.exe 2216 Kgnbnpkp.exe 2216 Kgnbnpkp.exe 2244 Knhjjj32.exe 2244 Knhjjj32.exe 2828 Kadfkhkf.exe 2828 Kadfkhkf.exe 2788 Kjokokha.exe 2788 Kjokokha.exe 2652 Kcgphp32.exe 2652 Kcgphp32.exe 2636 Kffldlne.exe 2636 Kffldlne.exe 2684 Kpkpadnl.exe 2684 Kpkpadnl.exe 836 Lcjlnpmo.exe 836 Lcjlnpmo.exe 2380 Lhfefgkg.exe 2380 Lhfefgkg.exe 2908 Lpnmgdli.exe 2908 Lpnmgdli.exe 2588 Lhiakf32.exe 2588 Lhiakf32.exe 1596 Lkgngb32.exe 1596 Lkgngb32.exe 2180 Ldpbpgoh.exe 2180 Ldpbpgoh.exe 2564 Llgjaeoj.exe 2564 Llgjaeoj.exe 2428 Lkjjma32.exe 2428 Lkjjma32.exe 2164 Lfoojj32.exe 2164 Lfoojj32.exe 1560 Lhnkffeo.exe 1560 Lhnkffeo.exe 2304 Lklgbadb.exe 2304 Lklgbadb.exe 1744 Lqipkhbj.exe 1744 Lqipkhbj.exe 1544 Lhpglecl.exe 1544 Lhpglecl.exe 2312 Mdghaf32.exe 2312 Mdghaf32.exe 2424 Mcjhmcok.exe 2424 Mcjhmcok.exe 1408 Mqnifg32.exe 1408 Mqnifg32.exe 760 Mdiefffn.exe 760 Mdiefffn.exe 2812 Mnaiol32.exe 2812 Mnaiol32.exe 2492 Mobfgdcl.exe 2492 Mobfgdcl.exe 2760 Mjhjdm32.exe 2760 Mjhjdm32.exe 2632 Mmgfqh32.exe 2632 Mmgfqh32.exe 2796 Mjkgjl32.exe 2796 Mjkgjl32.exe 2740 Mimgeigj.exe 2740 Mimgeigj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lofifi32.exe Lkjmfjmi.exe File created C:\Windows\SysWOW64\Lpnmgdli.exe Lhfefgkg.exe File opened for modification C:\Windows\SysWOW64\Qdlggg32.exe Pleofj32.exe File created C:\Windows\SysWOW64\Cpmene32.dll Objjnkie.exe File created C:\Windows\SysWOW64\Caejbmia.dll Iogpag32.exe File created C:\Windows\SysWOW64\Leoebflm.dll Iegeonpc.exe File opened for modification C:\Windows\SysWOW64\Eknpadcn.exe Elkofg32.exe File created C:\Windows\SysWOW64\Jpepkk32.exe Jabponba.exe File created C:\Windows\SysWOW64\Lklgbadb.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Pifbjn32.exe Pghfnc32.exe File created C:\Windows\SysWOW64\Obbdml32.exe Npdhaq32.exe File created C:\Windows\SysWOW64\Addfkeid.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Cqaiph32.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Glklejoo.exe Feachqgb.exe File opened for modification C:\Windows\SysWOW64\Kpieengb.exe Kmkihbho.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Aclpaali.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Pijjilik.dll Bieopm32.exe File created C:\Windows\SysWOW64\Qemldifo.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Clgmpqdg.dll Dnqlmq32.exe File created C:\Windows\SysWOW64\Kkpqlm32.exe Khadpa32.exe File created C:\Windows\SysWOW64\Jnofgg32.exe Jlqjkk32.exe File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe Bnlgbnbp.exe File created C:\Windows\SysWOW64\Fbhljb32.dll Bqolji32.exe File created C:\Windows\SysWOW64\Ccgklc32.exe Ckpckece.exe File opened for modification C:\Windows\SysWOW64\Nedhjj32.exe Nfahomfd.exe File created C:\Windows\SysWOW64\Jfkgbapp.dll Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Ojmpooah.exe Ofadnq32.exe File created C:\Windows\SysWOW64\Abpcooea.exe Andgop32.exe File created C:\Windows\SysWOW64\Kbpbmkan.exe Klfjpa32.exe File created C:\Windows\SysWOW64\Ggapbcne.exe Gojhafnb.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hfhfhbce.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Mjkgjl32.exe File created C:\Windows\SysWOW64\Ojgidcjn.dll Omhhke32.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Cbffoabe.exe File created C:\Windows\SysWOW64\Gblakg32.dll Homdhjai.exe File created C:\Windows\SysWOW64\Bpmacdgo.dll Nbeedh32.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Nfgjml32.exe File created C:\Windows\SysWOW64\Jmkmjoec.exe Jfaeme32.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Kjhcag32.exe File opened for modification C:\Windows\SysWOW64\Mobfgdcl.exe Mnaiol32.exe File created C:\Windows\SysWOW64\Mfnqeb32.dll Iacjjacb.exe File created C:\Windows\SysWOW64\Fgmkef32.dll Ilcalnii.exe File created C:\Windows\SysWOW64\Mblbnj32.exe Momfan32.exe File opened for modification C:\Windows\SysWOW64\Pfebnmcj.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Kffldlne.exe File created C:\Windows\SysWOW64\Gdnibjgk.dll Djfdob32.exe File opened for modification C:\Windows\SysWOW64\Npjlhcmd.exe Nedhjj32.exe File opened for modification C:\Windows\SysWOW64\Ooabmbbe.exe Olbfagca.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qeppdo32.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Koaclfgl.exe File created C:\Windows\SysWOW64\Dgmjmajn.dll Hfjbmb32.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Kfaalh32.exe File created C:\Windows\SysWOW64\Nlefhcnc.exe Napbjjom.exe File created C:\Windows\SysWOW64\Pafdjmkq.exe Pmkhjncg.exe File opened for modification C:\Windows\SysWOW64\Dfpaic32.exe Dljmlj32.exe File opened for modification C:\Windows\SysWOW64\Ipjdameg.exe Imlhebfc.exe File opened for modification C:\Windows\SysWOW64\Mqehjecl.exe Mnglnj32.exe File created C:\Windows\SysWOW64\Ncbdnb32.dll Ioeclg32.exe File created C:\Windows\SysWOW64\Hgajdjlj.dll Jpjifjdg.exe File created C:\Windows\SysWOW64\Bbjclbek.dll Aomnhd32.exe File opened for modification C:\Windows\SysWOW64\Djdgic32.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Ekddecnj.dll Dhhhbg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6404 6216 WerFault.exe 706 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfnecgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piliii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqodqodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigndekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekghdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgiidkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaecod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghofam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqdfehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjmfjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnapkjg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll" Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebklic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Lkjjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllqqh32.dll" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liipnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbeedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edlhqlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imodkadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lncfcgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Difqji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maadfi32.dll" Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boadnkpf.dll" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmacdgo.dll" Nbeedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnpdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqbijmn.dll" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldhjg32.dll" Hejmpqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" Cnfqccna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljhgm32.dll" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbnphngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdqnkoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiani32.dll" Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obbdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjffnf32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkkpmda.dll" Hgkfal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppkjac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eanldqgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gojhafnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1820 2136 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe 30 PID 2136 wrote to memory of 1820 2136 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe 30 PID 2136 wrote to memory of 1820 2136 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe 30 PID 2136 wrote to memory of 1820 2136 1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe 30 PID 1820 wrote to memory of 2216 1820 Khkbbc32.exe 31 PID 1820 wrote to memory of 2216 1820 Khkbbc32.exe 31 PID 1820 wrote to memory of 2216 1820 Khkbbc32.exe 31 PID 1820 wrote to memory of 2216 1820 Khkbbc32.exe 31 PID 2216 wrote to memory of 2244 2216 Kgnbnpkp.exe 32 PID 2216 wrote to memory of 2244 2216 Kgnbnpkp.exe 32 PID 2216 wrote to memory of 2244 2216 Kgnbnpkp.exe 32 PID 2216 wrote to memory of 2244 2216 Kgnbnpkp.exe 32 PID 2244 wrote to memory of 2828 2244 Knhjjj32.exe 33 PID 2244 wrote to memory of 2828 2244 Knhjjj32.exe 33 PID 2244 wrote to memory of 2828 2244 Knhjjj32.exe 33 PID 2244 wrote to memory of 2828 2244 Knhjjj32.exe 33 PID 2828 wrote to memory of 2788 2828 Kadfkhkf.exe 34 PID 2828 wrote to memory of 2788 2828 Kadfkhkf.exe 34 PID 2828 wrote to memory of 2788 2828 Kadfkhkf.exe 34 PID 2828 wrote to memory of 2788 2828 Kadfkhkf.exe 34 PID 2788 wrote to memory of 2652 2788 Kjokokha.exe 35 PID 2788 wrote to memory of 2652 2788 Kjokokha.exe 35 PID 2788 wrote to memory of 2652 2788 Kjokokha.exe 35 PID 2788 wrote to memory of 2652 2788 Kjokokha.exe 35 PID 2652 wrote to memory of 2636 2652 Kcgphp32.exe 36 PID 2652 wrote to memory of 2636 2652 Kcgphp32.exe 36 PID 2652 wrote to memory of 2636 2652 Kcgphp32.exe 36 PID 2652 wrote to memory of 2636 2652 Kcgphp32.exe 36 PID 2636 wrote to memory of 2684 2636 Kffldlne.exe 37 PID 2636 wrote to memory of 2684 2636 Kffldlne.exe 37 PID 2636 wrote to memory of 2684 2636 Kffldlne.exe 37 PID 2636 wrote to memory of 2684 2636 Kffldlne.exe 37 PID 2684 wrote to memory of 836 2684 Kpkpadnl.exe 38 PID 2684 wrote to memory of 836 2684 Kpkpadnl.exe 38 PID 2684 wrote to memory of 836 2684 Kpkpadnl.exe 38 PID 2684 wrote to memory of 836 2684 Kpkpadnl.exe 38 PID 836 wrote to memory of 2380 836 Lcjlnpmo.exe 39 PID 836 wrote to memory of 2380 836 Lcjlnpmo.exe 39 PID 836 wrote to memory of 2380 836 Lcjlnpmo.exe 39 PID 836 wrote to memory of 2380 836 Lcjlnpmo.exe 39 PID 2380 wrote to memory of 2908 2380 Lhfefgkg.exe 40 PID 2380 wrote to memory of 2908 2380 Lhfefgkg.exe 40 PID 2380 wrote to memory of 2908 2380 Lhfefgkg.exe 40 PID 2380 wrote to memory of 2908 2380 Lhfefgkg.exe 40 PID 2908 wrote to memory of 2588 2908 Lpnmgdli.exe 41 PID 2908 wrote to memory of 2588 2908 Lpnmgdli.exe 41 PID 2908 wrote to memory of 2588 2908 Lpnmgdli.exe 41 PID 2908 wrote to memory of 2588 2908 Lpnmgdli.exe 41 PID 2588 wrote to memory of 1596 2588 Lhiakf32.exe 42 PID 2588 wrote to memory of 1596 2588 Lhiakf32.exe 42 PID 2588 wrote to memory of 1596 2588 Lhiakf32.exe 42 PID 2588 wrote to memory of 1596 2588 Lhiakf32.exe 42 PID 1596 wrote to memory of 2180 1596 Lkgngb32.exe 43 PID 1596 wrote to memory of 2180 1596 Lkgngb32.exe 43 PID 1596 wrote to memory of 2180 1596 Lkgngb32.exe 43 PID 1596 wrote to memory of 2180 1596 Lkgngb32.exe 43 PID 2180 wrote to memory of 2564 2180 Ldpbpgoh.exe 44 PID 2180 wrote to memory of 2564 2180 Ldpbpgoh.exe 44 PID 2180 wrote to memory of 2564 2180 Ldpbpgoh.exe 44 PID 2180 wrote to memory of 2564 2180 Ldpbpgoh.exe 44 PID 2564 wrote to memory of 2428 2564 Llgjaeoj.exe 45 PID 2564 wrote to memory of 2428 2564 Llgjaeoj.exe 45 PID 2564 wrote to memory of 2428 2564 Llgjaeoj.exe 45 PID 2564 wrote to memory of 2428 2564 Llgjaeoj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe"C:\Users\Admin\AppData\Local\Temp\1cdd65a9476ff9ffe2c702e1d0b544b63ea35f53ca9e6d65dc62377b2c9f736cN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe35⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe37⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe38⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe39⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe41⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe45⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe48⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe52⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe54⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe55⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe57⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe58⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe59⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe60⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe62⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe63⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe64⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe66⤵PID:2044
-
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe67⤵PID:2844
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe68⤵PID:2184
-
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe71⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe73⤵PID:2032
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe74⤵PID:1916
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe75⤵PID:1624
-
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe78⤵PID:2268
-
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe79⤵PID:2264
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe80⤵PID:1060
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe81⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe82⤵PID:1132
-
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe83⤵PID:892
-
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe84⤵PID:2752
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe85⤵PID:2200
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe86⤵PID:1912
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe87⤵PID:1828
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe88⤵PID:1092
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe89⤵PID:2480
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe90⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe92⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe93⤵PID:1388
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe95⤵PID:2768
-
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe96⤵PID:2800
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe97⤵PID:352
-
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe98⤵PID:2612
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe99⤵PID:1512
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe100⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe101⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe102⤵PID:2188
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe103⤵PID:2096
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe104⤵PID:1104
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe105⤵PID:2420
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe106⤵PID:2880
-
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe107⤵PID:2820
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe108⤵PID:2964
-
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe109⤵PID:2992
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe112⤵PID:2064
-
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe113⤵PID:1568
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe114⤵PID:2240
-
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe115⤵PID:2860
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe117⤵PID:2876
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe118⤵PID:2936
-
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe119⤵PID:2008
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe120⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe121⤵PID:552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-