Analysis
-
max time kernel
118s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 08:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a805e7315d7e616e02bafef0e85fa030N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a805e7315d7e616e02bafef0e85fa030N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a805e7315d7e616e02bafef0e85fa030N.exe
-
Size
72KB
-
MD5
a805e7315d7e616e02bafef0e85fa030
-
SHA1
6233a657eea939025c7b822c6921586b4aae0c3e
-
SHA256
e2e7f8cf1cf8c6a84a1f5fc06384729beb0e31dc75d958230c86212c48895659
-
SHA512
268d944ef6fa59aeaf9bd7e86ce2befc78e0cf9b56f0fcae308cbe0ffe990bcf0bd8dacf7283c1d81cbbaa9d745f13555bbbadcd4eed73a9ecfc6bf20f6bd95c
-
SSDEEP
1536:8SDimRnn3knEvJF866XcTzm8XqO3OCAwQiYg45r9adW9cAI:8CF3nJSVgl6OeCqg4FEBx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcajekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomoohoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodfilko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbcio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdkmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmfjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmdgqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnaadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjicd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdhakpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhikcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elolfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekgineko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Immqeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbhikcpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njklioqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daoeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimnqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cablfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlblq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpbeecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poldnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anbcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adaeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgmagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iehejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhedachg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obkjhpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfajgbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmpcpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnedpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehbgbngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccncknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nieffgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opmnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diljpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paagkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiioanpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjlldmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehikpol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiocdand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhehoci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmkciap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejcnlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehikpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lblhep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooabjbdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janijh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diljpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhiqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phkohkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbchhmc.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Lmmcgilj.exe 2508 Lqiohh32.exe 2704 Liddljan.exe 2716 Lblhep32.exe 2748 Mppiod32.exe 2892 Mihngj32.exe 2696 Mpbfddef.exe 1280 Mbabpodi.exe 2364 Mgnjhfbq.exe 2100 Mbcofobg.exe 2632 Mcdkmg32.exe 2896 Mmmpfm32.exe 2212 Medggj32.exe 1748 Mfedobef.exe 3028 Mmolll32.exe 864 Mpnhhh32.exe 3032 Mheqie32.exe 2176 Nifmqm32.exe 460 Nppemgjd.exe 264 Nbnajcig.exe 1936 Njeikpij.exe 1908 Npbbcgga.exe 2524 Nfljpa32.exe 1572 Npdohg32.exe 1996 Nbckeb32.exe 1224 Nojljcjf.exe 2016 Nahhfoij.exe 2788 Nhbpbi32.exe 2728 Nolhoc32.exe 2692 Oooeeb32.exe 2712 Oamaan32.exe 2636 Ooabjbdn.exe 564 Oaonfncb.exe 2516 Odnjbibf.exe 2088 Okhboc32.exe 2844 Opdkgj32.exe 1228 Occgce32.exe 2936 Okjoec32.exe 1724 Opghmjfg.exe 748 Ocedieek.exe 1016 Oiolfo32.exe 2528 Poldnf32.exe 1456 Pefmkpbl.exe 2456 Ppkahi32.exe 1684 Pamnpahp.exe 2184 Pjdeaohb.exe 1736 Pkebig32.exe 744 Pcljjd32.exe 1604 Paojeafn.exe 2252 Phibbk32.exe 2784 Pkgonf32.exe 2856 Paagkq32.exe 2880 Pfmclold.exe 2688 Phkohkkh.exe 2648 Pnhhpaio.exe 1788 Qhnlmjie.exe 816 Qklhifhi.exe 2640 Qbfqfppe.exe 2660 Qddmbkoi.exe 3068 Qgcingnm.exe 1872 Qnmaka32.exe 2308 Aqkmgl32.exe 2376 Ageedflj.exe 2380 Ambnlmja.exe -
Loads dropped DLL 64 IoCs
pid Process 1596 a805e7315d7e616e02bafef0e85fa030N.exe 1596 a805e7315d7e616e02bafef0e85fa030N.exe 2032 Lmmcgilj.exe 2032 Lmmcgilj.exe 2508 Lqiohh32.exe 2508 Lqiohh32.exe 2704 Liddljan.exe 2704 Liddljan.exe 2716 Lblhep32.exe 2716 Lblhep32.exe 2748 Mppiod32.exe 2748 Mppiod32.exe 2892 Mihngj32.exe 2892 Mihngj32.exe 2696 Mpbfddef.exe 2696 Mpbfddef.exe 1280 Mbabpodi.exe 1280 Mbabpodi.exe 2364 Mgnjhfbq.exe 2364 Mgnjhfbq.exe 2100 Mbcofobg.exe 2100 Mbcofobg.exe 2632 Mcdkmg32.exe 2632 Mcdkmg32.exe 2896 Mmmpfm32.exe 2896 Mmmpfm32.exe 2212 Medggj32.exe 2212 Medggj32.exe 1748 Mfedobef.exe 1748 Mfedobef.exe 3028 Mmolll32.exe 3028 Mmolll32.exe 864 Mpnhhh32.exe 864 Mpnhhh32.exe 3032 Mheqie32.exe 3032 Mheqie32.exe 2176 Nifmqm32.exe 2176 Nifmqm32.exe 460 Nppemgjd.exe 460 Nppemgjd.exe 264 Nbnajcig.exe 264 Nbnajcig.exe 1936 Njeikpij.exe 1936 Njeikpij.exe 1908 Npbbcgga.exe 1908 Npbbcgga.exe 2524 Nfljpa32.exe 2524 Nfljpa32.exe 1572 Npdohg32.exe 1572 Npdohg32.exe 1996 Nbckeb32.exe 1996 Nbckeb32.exe 1224 Nojljcjf.exe 1224 Nojljcjf.exe 2016 Nahhfoij.exe 2016 Nahhfoij.exe 2788 Nhbpbi32.exe 2788 Nhbpbi32.exe 2728 Nolhoc32.exe 2728 Nolhoc32.exe 2692 Oooeeb32.exe 2692 Oooeeb32.exe 2712 Oamaan32.exe 2712 Oamaan32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Opghmjfg.exe Okjoec32.exe File created C:\Windows\SysWOW64\Obonid32.dll Phkohkkh.exe File created C:\Windows\SysWOW64\Mbpekm32.dll Ffomjgoj.exe File opened for modification C:\Windows\SysWOW64\Fccncknc.exe Fqeagpop.exe File opened for modification C:\Windows\SysWOW64\Hbmpoj32.exe Haldgbkc.exe File opened for modification C:\Windows\SysWOW64\Daoeeo32.exe Dlblmh32.exe File created C:\Windows\SysWOW64\Gjponegj.dll Giolpo32.exe File created C:\Windows\SysWOW64\Necjkb32.dll Hjgnhf32.exe File created C:\Windows\SysWOW64\Diljpn32.exe Dbbacdfo.exe File opened for modification C:\Windows\SysWOW64\Hjgnhf32.exe Hgiblk32.exe File created C:\Windows\SysWOW64\Lkpoqm32.dll Mcdkmg32.exe File created C:\Windows\SysWOW64\Qmabcmed.dll Ekofijic.exe File created C:\Windows\SysWOW64\Henipenb.exe Hbomdjoo.exe File created C:\Windows\SysWOW64\Kgjpfago.dll Oogdiqki.exe File created C:\Windows\SysWOW64\Qagfmnle.dll Pofqhdnd.exe File opened for modification C:\Windows\SysWOW64\Lqiohh32.exe Lmmcgilj.exe File created C:\Windows\SysWOW64\Goadik32.exe Ggjmhn32.exe File opened for modification C:\Windows\SysWOW64\Mjicdl32.exe Mcokhaho.exe File opened for modification C:\Windows\SysWOW64\Oiebej32.exe Obkjhpjj.exe File created C:\Windows\SysWOW64\Ibdcnm32.exe Iikneggd.exe File created C:\Windows\SysWOW64\Nklpqgcc.dll Qpfmageg.exe File created C:\Windows\SysWOW64\Ekifcd32.exe Ehkjgi32.exe File created C:\Windows\SysWOW64\Fdojendk.exe Faanibeh.exe File created C:\Windows\SysWOW64\Fejmda32.exe Eopehg32.exe File opened for modification C:\Windows\SysWOW64\Cbmoeeod.exe Cpnchjpa.exe File created C:\Windows\SysWOW64\Nijohc32.dll Fojnhlch.exe File created C:\Windows\SysWOW64\Gnkkeg32.exe Gceghn32.exe File opened for modification C:\Windows\SysWOW64\Okmena32.exe Odcmagip.exe File created C:\Windows\SysWOW64\Lbhgnh32.dll Dpfblh32.exe File created C:\Windows\SysWOW64\Gfjicd32.exe Gggihhkd.exe File created C:\Windows\SysWOW64\Mpmqkp32.dll Qddmbkoi.exe File opened for modification C:\Windows\SysWOW64\Ajhkka32.exe Acncngpl.exe File created C:\Windows\SysWOW64\Mbbaejnm.dll Ehnmgo32.exe File created C:\Windows\SysWOW64\Gninpg32.exe Ggofcmih.exe File created C:\Windows\SysWOW64\Ihhehoci.exe Idligq32.exe File created C:\Windows\SysWOW64\Mqqolfik.exe Mjgfol32.exe File created C:\Windows\SysWOW64\Pfgkdg32.dll Oiebej32.exe File created C:\Windows\SysWOW64\Hgejjgag.dll Deckeo32.exe File created C:\Windows\SysWOW64\Immqeq32.exe Ifchhf32.exe File opened for modification C:\Windows\SysWOW64\Dfaachpa.exe Ckjqog32.exe File created C:\Windows\SysWOW64\Nmlekj32.exe Niqijkel.exe File created C:\Windows\SysWOW64\Kodqcnja.dll Qagiio32.exe File opened for modification C:\Windows\SysWOW64\Fnhnnc32.exe Flfbfken.exe File created C:\Windows\SysWOW64\Fhmblljb.exe Facjobce.exe File created C:\Windows\SysWOW64\Gfnooj32.dll Chgkgmoo.exe File opened for modification C:\Windows\SysWOW64\Eohedi32.exe Eklicjkf.exe File created C:\Windows\SysWOW64\Hbmpoj32.exe Haldgbkc.exe File opened for modification C:\Windows\SysWOW64\Nolhoc32.exe Nhbpbi32.exe File created C:\Windows\SysWOW64\Pfmclold.exe Paagkq32.exe File created C:\Windows\SysWOW64\Ckhdihlp.exe Ciggap32.exe File created C:\Windows\SysWOW64\Copfpk32.dll Nhjcgccc.exe File created C:\Windows\SysWOW64\Eaaajo32.exe Emeejpjc.exe File created C:\Windows\SysWOW64\Fmlblq32.exe Fjmfpe32.exe File created C:\Windows\SysWOW64\Jgbkdkdk.exe Jokccnci.exe File opened for modification C:\Windows\SysWOW64\Lodbhp32.exe Lhjjle32.exe File created C:\Windows\SysWOW64\Pdmpgfae.exe Plfhfiqc.exe File opened for modification C:\Windows\SysWOW64\Ifeenfjm.exe Icgibkki.exe File created C:\Windows\SysWOW64\Pcljjd32.exe Pkebig32.exe File created C:\Windows\SysWOW64\Phillkdf.dll Imomkp32.exe File opened for modification C:\Windows\SysWOW64\Bfmlif32.exe Bmdgqp32.exe File opened for modification C:\Windows\SysWOW64\Jkfncn32.exe Jhhagb32.exe File created C:\Windows\SysWOW64\Mddilm32.dll Qgcingnm.exe File opened for modification C:\Windows\SysWOW64\Clqjblij.exe Cibnfpjg.exe File created C:\Windows\SysWOW64\Anbcio32.exe Akdgmd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 5288 WerFault.exe 461 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeikpij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejcnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajladp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpepbkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdphbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmacqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjqdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cablfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obkjhpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbebjpaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqomqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opdkgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afaieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhimaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafeaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqqolfik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkojjgfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnahoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfmmaem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfmageg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbbiafj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmiqlpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodfilko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjage32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobkna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfbfken.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbabpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefmkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokfaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbjbgph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijmjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeenfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihngj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkohkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbakfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhhmele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogkhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifmqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clqjblij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooianpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjmodph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqiohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgkgmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemnbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkdenfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcokhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcqbdge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcingnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqajfmpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahhfoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfannba.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmneadka.dll" Faanibeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gceghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloffcdo.dll" Jegheghc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obkjhpjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpjimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfkoi32.dll" Fjimefie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffppjh32.dll" Ifeenfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcmkciap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiangbo.dll" Eiipfbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehnmgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjpgnbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehdmn32.dll" Npmana32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdekagh.dll" Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oficoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpfblh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaonfncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdfmhfo.dll" Pefmkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ambnlmja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijpll32.dll" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnmgmec.dll" Bmdgqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjnk32.dll" Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffoehg32.dll" Idligq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcagma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Palgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abqlpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bibagmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nimflk32.dll" Fqeagpop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehkjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmbpdjj.dll" Mjicdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdjcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccolcf32.dll" Ahcoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnelkg32.dll" Bbnlia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opdkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjaioj32.dll" Aiioanpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cibnfpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkmfp32.dll" Lnklol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlikd32.dll" Opdkgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjicdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqmqkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hljnbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfgedkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbpbokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggnjkbl.dll" Ccikghel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phegmipo.dll" Paojeafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmiqlpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnooj32.dll" Chgkgmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnfajgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eddgaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clgpckcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejbgc32.dll" Bkfqbgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklfokoe.dll" Nbckeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opghmjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjcnoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afolpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjdhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Palgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcofleb.dll" Gcbchhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfclic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2032 1596 a805e7315d7e616e02bafef0e85fa030N.exe 29 PID 1596 wrote to memory of 2032 1596 a805e7315d7e616e02bafef0e85fa030N.exe 29 PID 1596 wrote to memory of 2032 1596 a805e7315d7e616e02bafef0e85fa030N.exe 29 PID 1596 wrote to memory of 2032 1596 a805e7315d7e616e02bafef0e85fa030N.exe 29 PID 2032 wrote to memory of 2508 2032 Lmmcgilj.exe 30 PID 2032 wrote to memory of 2508 2032 Lmmcgilj.exe 30 PID 2032 wrote to memory of 2508 2032 Lmmcgilj.exe 30 PID 2032 wrote to memory of 2508 2032 Lmmcgilj.exe 30 PID 2508 wrote to memory of 2704 2508 Lqiohh32.exe 31 PID 2508 wrote to memory of 2704 2508 Lqiohh32.exe 31 PID 2508 wrote to memory of 2704 2508 Lqiohh32.exe 31 PID 2508 wrote to memory of 2704 2508 Lqiohh32.exe 31 PID 2704 wrote to memory of 2716 2704 Liddljan.exe 32 PID 2704 wrote to memory of 2716 2704 Liddljan.exe 32 PID 2704 wrote to memory of 2716 2704 Liddljan.exe 32 PID 2704 wrote to memory of 2716 2704 Liddljan.exe 32 PID 2716 wrote to memory of 2748 2716 Lblhep32.exe 33 PID 2716 wrote to memory of 2748 2716 Lblhep32.exe 33 PID 2716 wrote to memory of 2748 2716 Lblhep32.exe 33 PID 2716 wrote to memory of 2748 2716 Lblhep32.exe 33 PID 2748 wrote to memory of 2892 2748 Mppiod32.exe 34 PID 2748 wrote to memory of 2892 2748 Mppiod32.exe 34 PID 2748 wrote to memory of 2892 2748 Mppiod32.exe 34 PID 2748 wrote to memory of 2892 2748 Mppiod32.exe 34 PID 2892 wrote to memory of 2696 2892 Mihngj32.exe 35 PID 2892 wrote to memory of 2696 2892 Mihngj32.exe 35 PID 2892 wrote to memory of 2696 2892 Mihngj32.exe 35 PID 2892 wrote to memory of 2696 2892 Mihngj32.exe 35 PID 2696 wrote to memory of 1280 2696 Mpbfddef.exe 36 PID 2696 wrote to memory of 1280 2696 Mpbfddef.exe 36 PID 2696 wrote to memory of 1280 2696 Mpbfddef.exe 36 PID 2696 wrote to memory of 1280 2696 Mpbfddef.exe 36 PID 1280 wrote to memory of 2364 1280 Mbabpodi.exe 37 PID 1280 wrote to memory of 2364 1280 Mbabpodi.exe 37 PID 1280 wrote to memory of 2364 1280 Mbabpodi.exe 37 PID 1280 wrote to memory of 2364 1280 Mbabpodi.exe 37 PID 2364 wrote to memory of 2100 2364 Mgnjhfbq.exe 38 PID 2364 wrote to memory of 2100 2364 Mgnjhfbq.exe 38 PID 2364 wrote to memory of 2100 2364 Mgnjhfbq.exe 38 PID 2364 wrote to memory of 2100 2364 Mgnjhfbq.exe 38 PID 2100 wrote to memory of 2632 2100 Mbcofobg.exe 39 PID 2100 wrote to memory of 2632 2100 Mbcofobg.exe 39 PID 2100 wrote to memory of 2632 2100 Mbcofobg.exe 39 PID 2100 wrote to memory of 2632 2100 Mbcofobg.exe 39 PID 2632 wrote to memory of 2896 2632 Mcdkmg32.exe 40 PID 2632 wrote to memory of 2896 2632 Mcdkmg32.exe 40 PID 2632 wrote to memory of 2896 2632 Mcdkmg32.exe 40 PID 2632 wrote to memory of 2896 2632 Mcdkmg32.exe 40 PID 2896 wrote to memory of 2212 2896 Mmmpfm32.exe 41 PID 2896 wrote to memory of 2212 2896 Mmmpfm32.exe 41 PID 2896 wrote to memory of 2212 2896 Mmmpfm32.exe 41 PID 2896 wrote to memory of 2212 2896 Mmmpfm32.exe 41 PID 2212 wrote to memory of 1748 2212 Medggj32.exe 42 PID 2212 wrote to memory of 1748 2212 Medggj32.exe 42 PID 2212 wrote to memory of 1748 2212 Medggj32.exe 42 PID 2212 wrote to memory of 1748 2212 Medggj32.exe 42 PID 1748 wrote to memory of 3028 1748 Mfedobef.exe 43 PID 1748 wrote to memory of 3028 1748 Mfedobef.exe 43 PID 1748 wrote to memory of 3028 1748 Mfedobef.exe 43 PID 1748 wrote to memory of 3028 1748 Mfedobef.exe 43 PID 3028 wrote to memory of 864 3028 Mmolll32.exe 44 PID 3028 wrote to memory of 864 3028 Mmolll32.exe 44 PID 3028 wrote to memory of 864 3028 Mmolll32.exe 44 PID 3028 wrote to memory of 864 3028 Mmolll32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a805e7315d7e616e02bafef0e85fa030N.exe"C:\Users\Admin\AppData\Local\Temp\a805e7315d7e616e02bafef0e85fa030N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Lmmcgilj.exeC:\Windows\system32\Lmmcgilj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lqiohh32.exeC:\Windows\system32\Lqiohh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Liddljan.exeC:\Windows\system32\Liddljan.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lblhep32.exeC:\Windows\system32\Lblhep32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Mppiod32.exeC:\Windows\system32\Mppiod32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mihngj32.exeC:\Windows\system32\Mihngj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Mpbfddef.exeC:\Windows\system32\Mpbfddef.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Mbabpodi.exeC:\Windows\system32\Mbabpodi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Mgnjhfbq.exeC:\Windows\system32\Mgnjhfbq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Mbcofobg.exeC:\Windows\system32\Mbcofobg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Mcdkmg32.exeC:\Windows\system32\Mcdkmg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mmmpfm32.exeC:\Windows\system32\Mmmpfm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Mfedobef.exeC:\Windows\system32\Mfedobef.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Mmolll32.exeC:\Windows\system32\Mmolll32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Mpnhhh32.exeC:\Windows\system32\Mpnhhh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Mheqie32.exeC:\Windows\system32\Mheqie32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Nifmqm32.exeC:\Windows\system32\Nifmqm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Nppemgjd.exeC:\Windows\system32\Nppemgjd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:460 -
C:\Windows\SysWOW64\Nbnajcig.exeC:\Windows\system32\Nbnajcig.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Njeikpij.exeC:\Windows\system32\Njeikpij.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Npbbcgga.exeC:\Windows\system32\Npbbcgga.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Nfljpa32.exeC:\Windows\system32\Nfljpa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Nbckeb32.exeC:\Windows\system32\Nbckeb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Nahhfoij.exeC:\Windows\system32\Nahhfoij.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Nolhoc32.exeC:\Windows\system32\Nolhoc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Oamaan32.exeC:\Windows\system32\Oamaan32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe35⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe36⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Opdkgj32.exeC:\Windows\system32\Opdkgj32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe38⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe41⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe42⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe46⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe47⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe49⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe51⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Pkgonf32.exeC:\Windows\system32\Pkgonf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe56⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe57⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe58⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe59⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe62⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe64⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe66⤵PID:1068
-
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe67⤵PID:1964
-
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe69⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe70⤵PID:2924
-
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe71⤵PID:2444
-
C:\Windows\SysWOW64\Afolpb32.exeC:\Windows\system32\Afolpb32.exe72⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Amidmldj.exeC:\Windows\system32\Amidmldj.exe73⤵PID:2740
-
C:\Windows\SysWOW64\Anjqdd32.exeC:\Windows\system32\Anjqdd32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe77⤵PID:2960
-
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe79⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe80⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Bclbhkdj.exeC:\Windows\system32\Bclbhkdj.exe81⤵PID:2060
-
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe82⤵PID:1440
-
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe84⤵PID:1728
-
C:\Windows\SysWOW64\Bpepbkhk.exeC:\Windows\system32\Bpepbkhk.exe85⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe86⤵PID:1156
-
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe87⤵PID:2588
-
C:\Windows\SysWOW64\Bmiqlpge.exeC:\Windows\system32\Bmiqlpge.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Bpgmhkfi.exeC:\Windows\system32\Bpgmhkfi.exe89⤵PID:600
-
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe90⤵PID:2836
-
C:\Windows\SysWOW64\Cipaqqli.exeC:\Windows\system32\Cipaqqli.exe91⤵PID:2944
-
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe92⤵PID:548
-
C:\Windows\SysWOW64\Cpjimk32.exeC:\Windows\system32\Cpjimk32.exe93⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Clqjblij.exeC:\Windows\system32\Clqjblij.exe96⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe97⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe98⤵PID:2684
-
C:\Windows\SysWOW64\Chgkgmoo.exeC:\Windows\system32\Chgkgmoo.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Cpnchjpa.exeC:\Windows\system32\Cpnchjpa.exe100⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Cbmoeeod.exeC:\Windows\system32\Cbmoeeod.exe101⤵PID:2604
-
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe102⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe103⤵PID:2992
-
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Clgpckcb.exeC:\Windows\system32\Clgpckcb.exe106⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe107⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe108⤵PID:1896
-
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe110⤵PID:1044
-
C:\Windows\SysWOW64\Dkojjgfg.exeC:\Windows\system32\Dkojjgfg.exe111⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe112⤵PID:2600
-
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe113⤵PID:272
-
C:\Windows\SysWOW64\Dcmkciap.exeC:\Windows\system32\Dcmkciap.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe115⤵PID:2816
-
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe116⤵PID:2104
-
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe117⤵PID:1980
-
C:\Windows\SysWOW64\Eiipfbgj.exeC:\Windows\system32\Eiipfbgj.exe118⤵
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe119⤵PID:856
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe120⤵PID:1712
-
C:\Windows\SysWOW64\Ehnmgo32.exeC:\Windows\system32\Ehnmgo32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-