Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 02:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe
-
Size
465KB
-
MD5
0788bd6f82cbc2cbd4fb79b32483f520
-
SHA1
630d1f2a4419b2cf5ad2528a050bc649814b9df0
-
SHA256
f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88
-
SHA512
4043a915fb9b97c4ac3a8aee8b31117a8bec37b9e7f72ff84bc33abf3cd99462fd18bdcc4c4b1dbe1ad48859c50607dc428b49365e3ae6016314f048a2826cac
-
SSDEEP
6144:HU2OoZCiWZVu3njPX9ZAkvntd4ljd3rKzwN8Jlljd3njPX9ZAk3fs:HjOclW+jP9ZtVkjpKXjtjP9Zt0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkepakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjomogn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckecpjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbpqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkhjabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkhjabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhlbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfebdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clinfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnblhddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpebidam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikfklni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pngbcldl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amplklmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcqjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfabkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipleo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfagemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheofahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omphocck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlemlnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icabeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oapcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbafalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdhik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceickb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqcjaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobleeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemmenhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbmii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhnmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbegbacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankhmncb.exe -
Executes dropped EXE 64 IoCs
pid Process 2792 Lkicbk32.exe 2676 Lpflkb32.exe 2584 Mhcmedli.exe 1312 Mhhgpc32.exe 1856 Mbqkiind.exe 576 Nnjicjbf.exe 2420 Nknimnap.exe 1664 Nihcog32.exe 344 Ncmglp32.exe 2760 Oeaqig32.exe 1932 Oajndh32.exe 2032 Onqkclni.exe 2068 Oejcpf32.exe 2316 Pfpibn32.exe 1968 Pddjlb32.exe 2448 Popgboae.exe 568 Qaapcj32.exe 1380 Addfkeid.exe 856 Aknngo32.exe 2224 Alageg32.exe 1048 Agglbp32.exe 2288 Apppkekc.exe 2480 Bpbmqe32.exe 884 Bcbfbp32.exe 2692 Bfabnl32.exe 2816 Bgdkkc32.exe 2796 Bnochnpm.exe 2756 Bdhleh32.exe 2664 Bdkhjgeh.exe 2020 Ckeqga32.exe 2724 Cglalbbi.exe 2648 Cqdfehii.exe 2128 Cmkfji32.exe 1764 Cfehhn32.exe 1724 Cmppehkh.exe 1376 Dnqlmq32.exe 604 Dboeco32.exe 1936 Dihmpinj.exe 1720 Dlifadkk.exe 2444 Dafoikjb.exe 2176 Dfcgbb32.exe 956 Dcghkf32.exe 952 Eakhdj32.exe 640 Efhqmadd.exe 2956 Emaijk32.exe 1776 Efjmbaba.exe 2476 Emdeok32.exe 2972 Efljhq32.exe 2340 Eimcjl32.exe 1032 Fbegbacp.exe 2784 Feddombd.exe 2780 Fdgdji32.exe 2776 Folhgbid.exe 2544 Fakdcnhh.exe 3052 Fggmldfp.exe 2088 Famaimfe.exe 236 Fhgifgnb.exe 1148 Fihfnp32.exe 896 Fdnjkh32.exe 2328 Fijbco32.exe 1156 Fliook32.exe 2116 Fgocmc32.exe 1716 Glklejoo.exe 2300 Gojhafnb.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe 2644 f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe 2792 Lkicbk32.exe 2792 Lkicbk32.exe 2676 Lpflkb32.exe 2676 Lpflkb32.exe 2584 Mhcmedli.exe 2584 Mhcmedli.exe 1312 Mhhgpc32.exe 1312 Mhhgpc32.exe 1856 Mbqkiind.exe 1856 Mbqkiind.exe 576 Nnjicjbf.exe 576 Nnjicjbf.exe 2420 Nknimnap.exe 2420 Nknimnap.exe 1664 Nihcog32.exe 1664 Nihcog32.exe 344 Ncmglp32.exe 344 Ncmglp32.exe 2760 Oeaqig32.exe 2760 Oeaqig32.exe 1932 Oajndh32.exe 1932 Oajndh32.exe 2032 Onqkclni.exe 2032 Onqkclni.exe 2068 Oejcpf32.exe 2068 Oejcpf32.exe 2316 Pfpibn32.exe 2316 Pfpibn32.exe 1968 Pddjlb32.exe 1968 Pddjlb32.exe 2448 Popgboae.exe 2448 Popgboae.exe 568 Qaapcj32.exe 568 Qaapcj32.exe 1380 Addfkeid.exe 1380 Addfkeid.exe 856 Aknngo32.exe 856 Aknngo32.exe 2224 Alageg32.exe 2224 Alageg32.exe 1048 Agglbp32.exe 1048 Agglbp32.exe 2288 Apppkekc.exe 2288 Apppkekc.exe 2480 Bpbmqe32.exe 2480 Bpbmqe32.exe 884 Bcbfbp32.exe 884 Bcbfbp32.exe 2692 Bfabnl32.exe 2692 Bfabnl32.exe 2816 Bgdkkc32.exe 2816 Bgdkkc32.exe 2796 Bnochnpm.exe 2796 Bnochnpm.exe 2756 Bdhleh32.exe 2756 Bdhleh32.exe 2664 Bdkhjgeh.exe 2664 Bdkhjgeh.exe 2020 Ckeqga32.exe 2020 Ckeqga32.exe 2724 Cglalbbi.exe 2724 Cglalbbi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ohopde32.dll Nghpjn32.exe File created C:\Windows\SysWOW64\Ngjlpmnn.exe Nnahgh32.exe File created C:\Windows\SysWOW64\Cqoebm32.dll Pljnkodm.exe File created C:\Windows\SysWOW64\Jidbmpjh.dll Ocpfkh32.exe File opened for modification C:\Windows\SysWOW64\Cffjagko.exe Clnehado.exe File created C:\Windows\SysWOW64\Mciljggi.dll Dhlogjko.exe File created C:\Windows\SysWOW64\Ibodnd32.dll Jibnop32.exe File created C:\Windows\SysWOW64\Oidhelof.dll Fmddgg32.exe File created C:\Windows\SysWOW64\Mjpkbk32.exe Mecbjd32.exe File created C:\Windows\SysWOW64\Oacbdg32.exe Okijhmcm.exe File created C:\Windows\SysWOW64\Bgfdgq32.dll Ijqjgo32.exe File opened for modification C:\Windows\SysWOW64\Eldbkbop.exe Ecmjid32.exe File created C:\Windows\SysWOW64\Nohefjhb.dll Pgaahh32.exe File created C:\Windows\SysWOW64\Ealahi32.exe Epkepakn.exe File opened for modification C:\Windows\SysWOW64\Kablnadm.exe Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Nljhhi32.exe Nikkkn32.exe File created C:\Windows\SysWOW64\Dcmpcjcf.exe Dpodgocb.exe File opened for modification C:\Windows\SysWOW64\Hhogaamj.exe Hfnkji32.exe File created C:\Windows\SysWOW64\Jqfhqe32.exe Jbcgeilh.exe File created C:\Windows\SysWOW64\Bgbjkg32.dll Mlbkmdah.exe File created C:\Windows\SysWOW64\Efkbdbai.exe Eclfhgaf.exe File created C:\Windows\SysWOW64\Folhgbid.exe Fdgdji32.exe File opened for modification C:\Windows\SysWOW64\Bkcfjk32.exe Bnofaf32.exe File created C:\Windows\SysWOW64\Aebakp32.exe Acadchoo.exe File created C:\Windows\SysWOW64\Edhpaa32.exe Ekpkhkji.exe File created C:\Windows\SysWOW64\Dhgelk32.exe Deiipp32.exe File created C:\Windows\SysWOW64\Lbkchj32.exe Lmnkpc32.exe File opened for modification C:\Windows\SysWOW64\Ainkcf32.exe Aohgfm32.exe File created C:\Windows\SysWOW64\Fbfldc32.exe Fkldgi32.exe File created C:\Windows\SysWOW64\Lofkoamf.exe Lenffl32.exe File created C:\Windows\SysWOW64\Iidbakdl.dll Caokmd32.exe File created C:\Windows\SysWOW64\Phohmbjf.dll Pcmoie32.exe File created C:\Windows\SysWOW64\Clmkgm32.dll Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Iagaod32.exe Ihnmfoli.exe File opened for modification C:\Windows\SysWOW64\Hhkopj32.exe Gqdgom32.exe File opened for modification C:\Windows\SysWOW64\Ojpaeq32.exe Ogaeieoj.exe File opened for modification C:\Windows\SysWOW64\Jllakpdk.exe Jafmngde.exe File opened for modification C:\Windows\SysWOW64\Kbkgig32.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Fmddgg32.exe Feipbefb.exe File created C:\Windows\SysWOW64\Cppobaeb.exe Bkcfjk32.exe File created C:\Windows\SysWOW64\Ilmlfcel.exe Injlkf32.exe File created C:\Windows\SysWOW64\Blipcb32.dll Dijfch32.exe File opened for modification C:\Windows\SysWOW64\Eakhdj32.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Ccboal32.dll Ggiofa32.exe File created C:\Windows\SysWOW64\Hkpnjd32.exe Hecebm32.exe File opened for modification C:\Windows\SysWOW64\Kabngjla.exe Kjhfjpdd.exe File opened for modification C:\Windows\SysWOW64\Dnqhkcdo.exe Dckcnj32.exe File created C:\Windows\SysWOW64\Bhonin32.dll Fkldgi32.exe File created C:\Windows\SysWOW64\Bbgmbfej.dll Gllpflng.exe File created C:\Windows\SysWOW64\Dlifadkk.exe Dihmpinj.exe File created C:\Windows\SysWOW64\Enkcccnb.dll Anhpkg32.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Egpena32.exe File created C:\Windows\SysWOW64\Mmofak32.dll Bakdjn32.exe File created C:\Windows\SysWOW64\Cpbnaj32.exe Cihedpcg.exe File created C:\Windows\SysWOW64\Lmkcfaod.dll Ihjcko32.exe File created C:\Windows\SysWOW64\Bnofaf32.exe Blniinac.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hgeelf32.exe File created C:\Windows\SysWOW64\Bjpdhifk.exe Bphooc32.exe File created C:\Windows\SysWOW64\Hkbkpcpd.exe Hajfgnjc.exe File created C:\Windows\SysWOW64\Lhimji32.exe Lmcilp32.exe File created C:\Windows\SysWOW64\Cenancce.dll Iafofkkf.exe File created C:\Windows\SysWOW64\Peeabm32.exe Pjpmdd32.exe File created C:\Windows\SysWOW64\Gmadkcmq.dll Ngqeha32.exe File created C:\Windows\SysWOW64\Eimcjl32.exe Efljhq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2436 1980 WerFault.exe 966 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbomli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqcmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpnoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcgkbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haleefoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmihgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdaid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgmfgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijidfpci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbaapfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjnenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgjnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknmicj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfikod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqfhqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpfke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Booiep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhdlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmaeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blibghmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgegfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicikap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgelk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmbqcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfklepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofomolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfopnkk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdnej32.dll" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbgjc32.dll" Ibillk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjoliob.dll" Fjaoplho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhdlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljipmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppfbm32.dll" Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hagepa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnjlmid.dll" Dnqlmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkobpmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Effhic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhonin32.dll" Fkldgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpfdaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpiomqg.dll" Bpcfcddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnpjc32.dll" Eaednh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonlkcho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pffgonbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maneecda.dll" Pdfdkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdlacfca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpodgocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efkbdbai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefjaj32.dll" Baigen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okijhmcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liedae32.dll" Fnejdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqfhqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqifajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eclfhgaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elllck32.dll" Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaggbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dekeeonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfbfl32.dll" Bejiehfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnqhkcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodkcd32.dll" Pmkfqind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acggbffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdlclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipklb32.dll" Ooggpiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeadqq32.dll" Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjqcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndggib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmjoqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngaig32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2792 2644 f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe 30 PID 2644 wrote to memory of 2792 2644 f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe 30 PID 2644 wrote to memory of 2792 2644 f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe 30 PID 2644 wrote to memory of 2792 2644 f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe 30 PID 2792 wrote to memory of 2676 2792 Lkicbk32.exe 31 PID 2792 wrote to memory of 2676 2792 Lkicbk32.exe 31 PID 2792 wrote to memory of 2676 2792 Lkicbk32.exe 31 PID 2792 wrote to memory of 2676 2792 Lkicbk32.exe 31 PID 2676 wrote to memory of 2584 2676 Lpflkb32.exe 32 PID 2676 wrote to memory of 2584 2676 Lpflkb32.exe 32 PID 2676 wrote to memory of 2584 2676 Lpflkb32.exe 32 PID 2676 wrote to memory of 2584 2676 Lpflkb32.exe 32 PID 2584 wrote to memory of 1312 2584 Mhcmedli.exe 33 PID 2584 wrote to memory of 1312 2584 Mhcmedli.exe 33 PID 2584 wrote to memory of 1312 2584 Mhcmedli.exe 33 PID 2584 wrote to memory of 1312 2584 Mhcmedli.exe 33 PID 1312 wrote to memory of 1856 1312 Mhhgpc32.exe 34 PID 1312 wrote to memory of 1856 1312 Mhhgpc32.exe 34 PID 1312 wrote to memory of 1856 1312 Mhhgpc32.exe 34 PID 1312 wrote to memory of 1856 1312 Mhhgpc32.exe 34 PID 1856 wrote to memory of 576 1856 Mbqkiind.exe 35 PID 1856 wrote to memory of 576 1856 Mbqkiind.exe 35 PID 1856 wrote to memory of 576 1856 Mbqkiind.exe 35 PID 1856 wrote to memory of 576 1856 Mbqkiind.exe 35 PID 576 wrote to memory of 2420 576 Nnjicjbf.exe 36 PID 576 wrote to memory of 2420 576 Nnjicjbf.exe 36 PID 576 wrote to memory of 2420 576 Nnjicjbf.exe 36 PID 576 wrote to memory of 2420 576 Nnjicjbf.exe 36 PID 2420 wrote to memory of 1664 2420 Nknimnap.exe 37 PID 2420 wrote to memory of 1664 2420 Nknimnap.exe 37 PID 2420 wrote to memory of 1664 2420 Nknimnap.exe 37 PID 2420 wrote to memory of 1664 2420 Nknimnap.exe 37 PID 1664 wrote to memory of 344 1664 Nihcog32.exe 38 PID 1664 wrote to memory of 344 1664 Nihcog32.exe 38 PID 1664 wrote to memory of 344 1664 Nihcog32.exe 38 PID 1664 wrote to memory of 344 1664 Nihcog32.exe 38 PID 344 wrote to memory of 2760 344 Ncmglp32.exe 39 PID 344 wrote to memory of 2760 344 Ncmglp32.exe 39 PID 344 wrote to memory of 2760 344 Ncmglp32.exe 39 PID 344 wrote to memory of 2760 344 Ncmglp32.exe 39 PID 2760 wrote to memory of 1932 2760 Oeaqig32.exe 40 PID 2760 wrote to memory of 1932 2760 Oeaqig32.exe 40 PID 2760 wrote to memory of 1932 2760 Oeaqig32.exe 40 PID 2760 wrote to memory of 1932 2760 Oeaqig32.exe 40 PID 1932 wrote to memory of 2032 1932 Oajndh32.exe 41 PID 1932 wrote to memory of 2032 1932 Oajndh32.exe 41 PID 1932 wrote to memory of 2032 1932 Oajndh32.exe 41 PID 1932 wrote to memory of 2032 1932 Oajndh32.exe 41 PID 2032 wrote to memory of 2068 2032 Onqkclni.exe 42 PID 2032 wrote to memory of 2068 2032 Onqkclni.exe 42 PID 2032 wrote to memory of 2068 2032 Onqkclni.exe 42 PID 2032 wrote to memory of 2068 2032 Onqkclni.exe 42 PID 2068 wrote to memory of 2316 2068 Oejcpf32.exe 43 PID 2068 wrote to memory of 2316 2068 Oejcpf32.exe 43 PID 2068 wrote to memory of 2316 2068 Oejcpf32.exe 43 PID 2068 wrote to memory of 2316 2068 Oejcpf32.exe 43 PID 2316 wrote to memory of 1968 2316 Pfpibn32.exe 44 PID 2316 wrote to memory of 1968 2316 Pfpibn32.exe 44 PID 2316 wrote to memory of 1968 2316 Pfpibn32.exe 44 PID 2316 wrote to memory of 1968 2316 Pfpibn32.exe 44 PID 1968 wrote to memory of 2448 1968 Pddjlb32.exe 45 PID 1968 wrote to memory of 2448 1968 Pddjlb32.exe 45 PID 1968 wrote to memory of 2448 1968 Pddjlb32.exe 45 PID 1968 wrote to memory of 2448 1968 Pddjlb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe"C:\Users\Admin\AppData\Local\Temp\f12ac4ce1a8fc8741e4daf76b480c99df0dcac8ad688db5cf3e038ffbe5d6f88N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe34⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe35⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe36⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe38⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe40⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe41⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dfcgbb32.exeC:\Windows\system32\Dfcgbb32.exe42⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe44⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe45⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Emaijk32.exeC:\Windows\system32\Emaijk32.exe46⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe48⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe50⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe56⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe58⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe59⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe61⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe62⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe63⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe64⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe65⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe68⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe69⤵PID:1948
-
C:\Windows\SysWOW64\Glpepj32.exeC:\Windows\system32\Glpepj32.exe70⤵PID:2820
-
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe71⤵PID:2744
-
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe72⤵PID:2916
-
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe73⤵PID:2628
-
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe74⤵PID:276
-
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe75⤵PID:2588
-
C:\Windows\SysWOW64\Gockgdeh.exeC:\Windows\system32\Gockgdeh.exe76⤵PID:804
-
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe77⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Hhkopj32.exeC:\Windows\system32\Hhkopj32.exe78⤵PID:2848
-
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe79⤵PID:1768
-
C:\Windows\SysWOW64\Hadcipbi.exeC:\Windows\system32\Hadcipbi.exe80⤵PID:2272
-
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe81⤵PID:2100
-
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe82⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe83⤵PID:908
-
C:\Windows\SysWOW64\Hcgmfgfd.exeC:\Windows\system32\Hcgmfgfd.exe84⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe85⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Hgeelf32.exeC:\Windows\system32\Hgeelf32.exe86⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe87⤵PID:688
-
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe88⤵PID:1592
-
C:\Windows\SysWOW64\Hfjbmb32.exeC:\Windows\system32\Hfjbmb32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe90⤵PID:2568
-
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe91⤵PID:2124
-
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe92⤵PID:2712
-
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe93⤵PID:2880
-
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe94⤵PID:1820
-
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe95⤵PID:3060
-
C:\Windows\SysWOW64\Iediin32.exeC:\Windows\system32\Iediin32.exe96⤵PID:1600
-
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe97⤵PID:1712
-
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe98⤵PID:2536
-
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe99⤵PID:1528
-
C:\Windows\SysWOW64\Iamfdo32.exeC:\Windows\system32\Iamfdo32.exe100⤵PID:1644
-
C:\Windows\SysWOW64\Jfjolf32.exeC:\Windows\system32\Jfjolf32.exe101⤵PID:2984
-
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe102⤵PID:272
-
C:\Windows\SysWOW64\Jgjkfi32.exeC:\Windows\system32\Jgjkfi32.exe103⤵PID:2464
-
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe104⤵PID:2928
-
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe105⤵PID:2564
-
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe106⤵PID:2548
-
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe107⤵PID:1660
-
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe108⤵PID:1152
-
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe109⤵PID:2044
-
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe110⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe111⤵PID:2460
-
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe112⤵PID:2352
-
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe113⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe114⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe115⤵PID:1324
-
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe116⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe117⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe118⤵PID:1596
-
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe119⤵PID:3048
-
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe120⤵PID:2804
-
C:\Windows\SysWOW64\Kkojbf32.exeC:\Windows\system32\Kkojbf32.exe121⤵PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-