Analysis
-
max time kernel
79s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe
Resource
win10v2004-20241007-en
General
-
Target
4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe
-
Size
923KB
-
MD5
c822f4c184b9805bc242f1a56f4c7880
-
SHA1
f01f3a4dc4cfaf011396123df76b0590736564d0
-
SHA256
4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bc
-
SHA512
6cfae406dd5eb844c75c9c742e11b8839e2ac1474aa093a8216400d7df22bdf5c321bcb86502544d9618993bac2a28b34a577797e57bd05a9f63acc70a022765
-
SSDEEP
24576:wFXPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNF:wFnbazR0va
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghhngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgckcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phabdmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlokegib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljfdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjejojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgglcqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidhcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfjiali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgamgken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmmegkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihqbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgglcqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amledj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elndpnnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqjceidf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkemli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilkbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpihog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommdqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcekkkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnplgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmfdgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqcpfcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkcgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omekgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcafbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaeeoihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efakhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceioieei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgfpbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikhce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgoakpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnafjo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2596 Nmogpj32.exe 2220 Nldcagaq.exe 2168 Pamlel32.exe 2924 Pnfipm32.exe 2920 Pqgbah32.exe 2564 Acbnggjo.exe 1988 Bbannb32.exe 2904 Bllomg32.exe 668 Blnkbg32.exe 1108 Cooddbfh.exe 1632 Chgimh32.exe 1016 Cmfnjnin.exe 520 Cmikpngk.exe 2404 Coldmfkf.exe 1992 Dcjmcd32.exe 2776 Doamhe32.exe 1356 Dnfjiali.exe 2532 Dpgckm32.exe 2440 Elndpnnn.exe 1232 Ejadibmh.exe 2760 Efhenccl.exe 1748 Fhngkm32.exe 1288 Fdehpn32.exe 2044 Fnmmidhm.exe 2900 Fkambhgf.exe 2956 Ffkncf32.exe 2964 Gphlgk32.exe 2852 Gfdaid32.exe 2152 Gplebjbk.exe 2444 Gjffbhnj.exe 2272 Hhjgll32.exe 1944 Hengep32.exe 1192 Hnflnfbm.exe 2344 Hipmoc32.exe 588 Hmneebeb.exe 2268 Hffjng32.exe 1056 Hlcbfnjk.exe 2700 Iigcobid.exe 1420 Iboghh32.exe 1400 Ikjlmjmp.exe 632 Ihnmfoli.exe 3024 Ihqilnig.exe 2136 Ihcfan32.exe 2740 Jcmgal32.exe 1588 Jpqgkpcl.exe 2420 Jjilde32.exe 1972 Jhniebne.exe 3032 Jhqeka32.exe 2572 Kdgfpbaf.exe 2548 Kbkgig32.exe 1836 Koogbk32.exe 2376 Kjihci32.exe 1760 Kjkehhjf.exe 1960 Kfbemi32.exe 452 Lgabgl32.exe 2764 Lbkchj32.exe 2604 Lbmpnjai.exe 2224 Lfkhch32.exe 1984 Laeidfdn.exe 1820 Mnijnjbh.exe 1612 Mganfp32.exe 584 Meeopdhb.exe 2960 Mpoppadq.exe 2016 Mpalfabn.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe 2116 4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe 2596 Nmogpj32.exe 2596 Nmogpj32.exe 2220 Nldcagaq.exe 2220 Nldcagaq.exe 2168 Pamlel32.exe 2168 Pamlel32.exe 2924 Pnfipm32.exe 2924 Pnfipm32.exe 2920 Pqgbah32.exe 2920 Pqgbah32.exe 2564 Acbnggjo.exe 2564 Acbnggjo.exe 1988 Bbannb32.exe 1988 Bbannb32.exe 2904 Bllomg32.exe 2904 Bllomg32.exe 668 Blnkbg32.exe 668 Blnkbg32.exe 1108 Cooddbfh.exe 1108 Cooddbfh.exe 1632 Chgimh32.exe 1632 Chgimh32.exe 1016 Cmfnjnin.exe 1016 Cmfnjnin.exe 520 Cmikpngk.exe 520 Cmikpngk.exe 2404 Coldmfkf.exe 2404 Coldmfkf.exe 1992 Dcjmcd32.exe 1992 Dcjmcd32.exe 2776 Doamhe32.exe 2776 Doamhe32.exe 1356 Dnfjiali.exe 1356 Dnfjiali.exe 2532 Dpgckm32.exe 2532 Dpgckm32.exe 2440 Elndpnnn.exe 2440 Elndpnnn.exe 1232 Ejadibmh.exe 1232 Ejadibmh.exe 2760 Efhenccl.exe 2760 Efhenccl.exe 1748 Fhngkm32.exe 1748 Fhngkm32.exe 1288 Fdehpn32.exe 1288 Fdehpn32.exe 2044 Fnmmidhm.exe 2044 Fnmmidhm.exe 2900 Fkambhgf.exe 2900 Fkambhgf.exe 2956 Ffkncf32.exe 2956 Ffkncf32.exe 2964 Gphlgk32.exe 2964 Gphlgk32.exe 2852 Gfdaid32.exe 2852 Gfdaid32.exe 2152 Gplebjbk.exe 2152 Gplebjbk.exe 2444 Gjffbhnj.exe 2444 Gjffbhnj.exe 2272 Hhjgll32.exe 2272 Hhjgll32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iomaaa32.exe Iedmhlqf.exe File created C:\Windows\SysWOW64\Oeobfgak.exe Ogkbmcba.exe File opened for modification C:\Windows\SysWOW64\Lgabgl32.exe Kfbemi32.exe File created C:\Windows\SysWOW64\Mjbiac32.exe Mdeaim32.exe File created C:\Windows\SysWOW64\Jmdoefnl.dll Cihqbb32.exe File opened for modification C:\Windows\SysWOW64\Oeobfgak.exe Ogkbmcba.exe File opened for modification C:\Windows\SysWOW64\Imndmnob.exe Ibdclp32.exe File opened for modification C:\Windows\SysWOW64\Mmlmmdga.exe Mogqlgbi.exe File created C:\Windows\SysWOW64\Kbokda32.exe Kdincdcl.exe File opened for modification C:\Windows\SysWOW64\Ncbfcq32.exe Njjbjk32.exe File created C:\Windows\SysWOW64\Bcedbefd.exe Bjlpjp32.exe File created C:\Windows\SysWOW64\Fcffeo32.dll Dgbiggof.exe File opened for modification C:\Windows\SysWOW64\Kbjmhd32.exe Kkpekjie.exe File created C:\Windows\SysWOW64\Eedcdcoc.dll Odmhjp32.exe File created C:\Windows\SysWOW64\Mbdplmai.dll Hmheol32.exe File created C:\Windows\SysWOW64\Fjdfae32.dll Kdincdcl.exe File created C:\Windows\SysWOW64\Ghndbeeo.dll Dkolblkk.exe File created C:\Windows\SysWOW64\Fgmncb32.dll Aefaemqj.exe File created C:\Windows\SysWOW64\Geckno32.exe Gfnnmboa.exe File created C:\Windows\SysWOW64\Agkbdj32.dll Kkpekjie.exe File created C:\Windows\SysWOW64\Pmdocf32.exe Oheieo32.exe File created C:\Windows\SysWOW64\Ahjahk32.exe Aoamoefh.exe File created C:\Windows\SysWOW64\Lkcehkeh.exe Ldgpea32.exe File created C:\Windows\SysWOW64\Aiogmeom.dll Nocgbl32.exe File created C:\Windows\SysWOW64\Gfcqkafl.exe Gpihog32.exe File created C:\Windows\SysWOW64\Pppiae32.dll Fbqhnqen.exe File opened for modification C:\Windows\SysWOW64\Eaangfjf.exe Epbamc32.exe File opened for modification C:\Windows\SysWOW64\Laknfmgd.exe Lojeda32.exe File created C:\Windows\SysWOW64\Pfpdcm32.exe Pmgpjgph.exe File created C:\Windows\SysWOW64\Oahfnj32.dll Pmoqfi32.exe File opened for modification C:\Windows\SysWOW64\Hlcbfnjk.exe Hffjng32.exe File created C:\Windows\SysWOW64\Mnpfkfcn.dll Jhniebne.exe File created C:\Windows\SysWOW64\Eahkag32.exe Ehpgha32.exe File created C:\Windows\SysWOW64\Nbodpo32.exe Mdkcgk32.exe File created C:\Windows\SysWOW64\Becmcind.dll Fqkbkicd.exe File created C:\Windows\SysWOW64\Kkglim32.exe Klapha32.exe File opened for modification C:\Windows\SysWOW64\Kfkjnh32.exe Kpqaanqd.exe File opened for modification C:\Windows\SysWOW64\Bnkbcmaj.exe Bcbabodk.exe File opened for modification C:\Windows\SysWOW64\Dndahokk.exe Dbnpcn32.exe File created C:\Windows\SysWOW64\Lbmpnjai.exe Lbkchj32.exe File created C:\Windows\SysWOW64\Kmmiaknb.exe Jmkmlk32.exe File created C:\Windows\SysWOW64\Bpbmbf32.dll Ijegeg32.exe File created C:\Windows\SysWOW64\Ojgkih32.exe Ooaflp32.exe File opened for modification C:\Windows\SysWOW64\Cmikpngk.exe Cmfnjnin.exe File created C:\Windows\SysWOW64\Jilkbn32.exe Jmejmm32.exe File created C:\Windows\SysWOW64\Ceoinjaa.dll Pembpkfi.exe File created C:\Windows\SysWOW64\Piondi32.dll Geckno32.exe File opened for modification C:\Windows\SysWOW64\Lpbhmiji.exe Lcnhcdkp.exe File created C:\Windows\SysWOW64\Hbhjphla.dll Hanenoeh.exe File created C:\Windows\SysWOW64\Efakhk32.exe Edbonh32.exe File opened for modification C:\Windows\SysWOW64\Ihcfan32.exe Ihqilnig.exe File opened for modification C:\Windows\SysWOW64\Ljeabf32.exe Lnopmegg.exe File created C:\Windows\SysWOW64\Dkohanoc.exe Dpicceon.exe File opened for modification C:\Windows\SysWOW64\Hjdfgojp.exe Hpnbjfjj.exe File created C:\Windows\SysWOW64\Faikbkhj.exe Fdekigip.exe File created C:\Windows\SysWOW64\Ifiilp32.exe Hpmdjf32.exe File opened for modification C:\Windows\SysWOW64\Mpaoojjb.exe Mjbiac32.exe File opened for modification C:\Windows\SysWOW64\Pgbejj32.exe Pogaeg32.exe File opened for modification C:\Windows\SysWOW64\Fnjiin32.exe Fdaephpc.exe File created C:\Windows\SysWOW64\Jeblgodb.exe Jilkbn32.exe File opened for modification C:\Windows\SysWOW64\Ahgdbk32.exe Qibhao32.exe File created C:\Windows\SysWOW64\Lagknhgp.dll Befcne32.exe File created C:\Windows\SysWOW64\Oakcan32.exe Olokighn.exe File opened for modification C:\Windows\SysWOW64\Alqplmlb.exe Alncgn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1660 1108 WerFault.exe 686 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkqhbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbepplkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmholgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpegka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmikpngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccbgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdeaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqneaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbblpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkphmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmlfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimfcedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceanmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopgikop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbabodk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coejfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfobmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnlog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqqdigko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjkiikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqdioaqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaamhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeblgodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmgmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laknfmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpieli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpeojha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofiimkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijadk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgbah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbnggjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeidfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqjfgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooaflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adohpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcjlhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailboh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijelgemi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifniaeqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlbnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkajkoml.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlooenoo.dll" Bcdpacgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihpmkee.dll" Amnanefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqneaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll" Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnkblgl.dll" Nijdcdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknmplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfliqmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdplmai.dll" Hmheol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anndbnao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhfoe32.dll" Kbokda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdiigbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooiepnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceiinfd.dll" Ohppjpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqqdigko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqcpfcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgoakpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laknfmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffecai32.dll" Lfgaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmmge32.dll" Hqpjndio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbecjo32.dll" Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahqpjlb.dll" Mgglcqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagkfqbe.dll" Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glmckikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahkhgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohppjpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdbloobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhogeg.dll" Bcmjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abdpngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgejpfh.dll" Ehilgikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jomnpdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offlpgfp.dll" Nkphmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkljljko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmpjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflhjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkncf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphlgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifniaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnppdb.dll" Opbopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcaiqfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgbbalc.dll" Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbckhmc.dll" Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifngiqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnngpaop.dll" Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpgp32.dll" Kbgnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbahk32.dll" Bcedbefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhngohip.dll" Fihcdkom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fadagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpieli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohilhjfg.dll" Hadece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpekjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elmmegkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knngob32.dll" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahfnj32.dll" Pmoqfi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2596 2116 4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe 30 PID 2116 wrote to memory of 2596 2116 4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe 30 PID 2116 wrote to memory of 2596 2116 4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe 30 PID 2116 wrote to memory of 2596 2116 4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe 30 PID 2596 wrote to memory of 2220 2596 Nmogpj32.exe 31 PID 2596 wrote to memory of 2220 2596 Nmogpj32.exe 31 PID 2596 wrote to memory of 2220 2596 Nmogpj32.exe 31 PID 2596 wrote to memory of 2220 2596 Nmogpj32.exe 31 PID 2220 wrote to memory of 2168 2220 Nldcagaq.exe 32 PID 2220 wrote to memory of 2168 2220 Nldcagaq.exe 32 PID 2220 wrote to memory of 2168 2220 Nldcagaq.exe 32 PID 2220 wrote to memory of 2168 2220 Nldcagaq.exe 32 PID 2168 wrote to memory of 2924 2168 Pamlel32.exe 33 PID 2168 wrote to memory of 2924 2168 Pamlel32.exe 33 PID 2168 wrote to memory of 2924 2168 Pamlel32.exe 33 PID 2168 wrote to memory of 2924 2168 Pamlel32.exe 33 PID 2924 wrote to memory of 2920 2924 Pnfipm32.exe 34 PID 2924 wrote to memory of 2920 2924 Pnfipm32.exe 34 PID 2924 wrote to memory of 2920 2924 Pnfipm32.exe 34 PID 2924 wrote to memory of 2920 2924 Pnfipm32.exe 34 PID 2920 wrote to memory of 2564 2920 Pqgbah32.exe 35 PID 2920 wrote to memory of 2564 2920 Pqgbah32.exe 35 PID 2920 wrote to memory of 2564 2920 Pqgbah32.exe 35 PID 2920 wrote to memory of 2564 2920 Pqgbah32.exe 35 PID 2564 wrote to memory of 1988 2564 Acbnggjo.exe 36 PID 2564 wrote to memory of 1988 2564 Acbnggjo.exe 36 PID 2564 wrote to memory of 1988 2564 Acbnggjo.exe 36 PID 2564 wrote to memory of 1988 2564 Acbnggjo.exe 36 PID 1988 wrote to memory of 2904 1988 Bbannb32.exe 37 PID 1988 wrote to memory of 2904 1988 Bbannb32.exe 37 PID 1988 wrote to memory of 2904 1988 Bbannb32.exe 37 PID 1988 wrote to memory of 2904 1988 Bbannb32.exe 37 PID 2904 wrote to memory of 668 2904 Bllomg32.exe 38 PID 2904 wrote to memory of 668 2904 Bllomg32.exe 38 PID 2904 wrote to memory of 668 2904 Bllomg32.exe 38 PID 2904 wrote to memory of 668 2904 Bllomg32.exe 38 PID 668 wrote to memory of 1108 668 Blnkbg32.exe 39 PID 668 wrote to memory of 1108 668 Blnkbg32.exe 39 PID 668 wrote to memory of 1108 668 Blnkbg32.exe 39 PID 668 wrote to memory of 1108 668 Blnkbg32.exe 39 PID 1108 wrote to memory of 1632 1108 Cooddbfh.exe 40 PID 1108 wrote to memory of 1632 1108 Cooddbfh.exe 40 PID 1108 wrote to memory of 1632 1108 Cooddbfh.exe 40 PID 1108 wrote to memory of 1632 1108 Cooddbfh.exe 40 PID 1632 wrote to memory of 1016 1632 Chgimh32.exe 41 PID 1632 wrote to memory of 1016 1632 Chgimh32.exe 41 PID 1632 wrote to memory of 1016 1632 Chgimh32.exe 41 PID 1632 wrote to memory of 1016 1632 Chgimh32.exe 41 PID 1016 wrote to memory of 520 1016 Cmfnjnin.exe 42 PID 1016 wrote to memory of 520 1016 Cmfnjnin.exe 42 PID 1016 wrote to memory of 520 1016 Cmfnjnin.exe 42 PID 1016 wrote to memory of 520 1016 Cmfnjnin.exe 42 PID 520 wrote to memory of 2404 520 Cmikpngk.exe 43 PID 520 wrote to memory of 2404 520 Cmikpngk.exe 43 PID 520 wrote to memory of 2404 520 Cmikpngk.exe 43 PID 520 wrote to memory of 2404 520 Cmikpngk.exe 43 PID 2404 wrote to memory of 1992 2404 Coldmfkf.exe 44 PID 2404 wrote to memory of 1992 2404 Coldmfkf.exe 44 PID 2404 wrote to memory of 1992 2404 Coldmfkf.exe 44 PID 2404 wrote to memory of 1992 2404 Coldmfkf.exe 44 PID 1992 wrote to memory of 2776 1992 Dcjmcd32.exe 45 PID 1992 wrote to memory of 2776 1992 Dcjmcd32.exe 45 PID 1992 wrote to memory of 2776 1992 Dcjmcd32.exe 45 PID 1992 wrote to memory of 2776 1992 Dcjmcd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe"C:\Users\Admin\AppData\Local\Temp\4876bc190e2be7ebbb2e5ce83b13b8511f75406fdd2f5cd06d90e50e908425bcN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Coldmfkf.exeC:\Windows\system32\Coldmfkf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Elndpnnn.exeC:\Windows\system32\Elndpnnn.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Hhjgll32.exeC:\Windows\system32\Hhjgll32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe33⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe34⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe35⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe36⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe39⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe40⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe41⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe42⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe44⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe46⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe47⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe49⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe51⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe53⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe54⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe56⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe58⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe59⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe61⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe63⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe64⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe65⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe66⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe67⤵PID:1996
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe68⤵PID:2908
-
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe69⤵PID:1396
-
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe70⤵PID:608
-
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe71⤵PID:2428
-
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe72⤵PID:1164
-
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe73⤵PID:2584
-
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe74⤵PID:1828
-
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe75⤵PID:1516
-
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe76⤵PID:2192
-
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe77⤵PID:1424
-
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe78⤵PID:900
-
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe79⤵PID:2472
-
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Pniohk32.exeC:\Windows\system32\Pniohk32.exe81⤵PID:3064
-
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe82⤵PID:1780
-
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe84⤵PID:1496
-
C:\Windows\SysWOW64\Aijfihip.exeC:\Windows\system32\Aijfihip.exe85⤵PID:1080
-
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe87⤵PID:2632
-
C:\Windows\SysWOW64\Abgdnm32.exeC:\Windows\system32\Abgdnm32.exe88⤵PID:3008
-
C:\Windows\SysWOW64\Anndbnao.exeC:\Windows\system32\Anndbnao.exe89⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe90⤵PID:2072
-
C:\Windows\SysWOW64\Bcmjpd32.exeC:\Windows\system32\Bcmjpd32.exe91⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe92⤵PID:1704
-
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe93⤵PID:2008
-
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe94⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe95⤵PID:3044
-
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe96⤵PID:1208
-
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe97⤵PID:2332
-
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe98⤵PID:2824
-
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Elmmegkb.exeC:\Windows\system32\Elmmegkb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe101⤵PID:1204
-
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe102⤵PID:3016
-
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe103⤵PID:1824
-
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe104⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Fnjiin32.exeC:\Windows\system32\Fnjiin32.exe105⤵PID:1616
-
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe106⤵PID:2328
-
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe108⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe109⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe110⤵PID:2876
-
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe111⤵PID:2460
-
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe112⤵PID:2880
-
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe113⤵PID:1340
-
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe115⤵PID:2292
-
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe116⤵PID:2204
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe118⤵PID:1264
-
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe119⤵PID:760
-
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe121⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe122⤵PID:892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-