Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 22:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
122209b68eea2d3a7c5b43671ba317d0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
122209b68eea2d3a7c5b43671ba317d0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
122209b68eea2d3a7c5b43671ba317d0N.exe
-
Size
459KB
-
MD5
122209b68eea2d3a7c5b43671ba317d0
-
SHA1
f791fc791a4fd46501e95a8a8f15fd6d0b44224c
-
SHA256
7167ccf68cdb70f0252aab3f258ff1f26f4be8bc7c547d5e7b32d26392b96814
-
SHA512
9e744a5adc5a388456e7935fa09b75b669e2ce276c6ad6520605f17d4cbbdc47492e2dd3a1bf467a25a1f2c1a5a981316117a529a16a6bff43ccdc01ddb19d66
-
SSDEEP
6144:o9FBYtvIdf7HdQGUHlbvu/MwGsmLrZNs/V4Lr5+Nod/MwGsmLrZNs/VKi/MwGsmp:o9fYCMmmpNs/V4g8MmmpNs/VXMmm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekncjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmlfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjmdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bambjnfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kooimpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaikiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paihgboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Engpfgql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfjjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcehngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhldahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfqjible.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqkqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcebpqcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpdoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlaffbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkldli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkheal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooaflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmpafnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leebcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmamhek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlmcaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akejdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpbkca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkoidcaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgoohk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbnfcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpkepnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmnfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageedflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjbcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqomkimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooaflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkohanoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdgmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqiakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hincna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakkncmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkehbjm.exe -
Executes dropped EXE 64 IoCs
pid Process 1972 Ggeiooea.exe 2880 Hmdnme32.exe 2372 Hjhofj32.exe 2104 Hqkmahpp.exe 2648 Iamjghnm.exe 1308 Imkqmh32.exe 2052 Jehbfjia.exe 1692 Jemkai32.exe 2700 Jmhpfl32.exe 3008 Kmpfgklo.exe 956 Kekkkm32.exe 1820 Leaallcb.exe 1736 Lkoidcaj.exe 1652 Lcnhcdkp.exe 2456 Lcqdidim.exe 1704 Mkqbhf32.exe 2288 Mmpobi32.exe 1832 Nqbdllld.exe 1792 Nbaafocg.exe 2532 Nnknqpgi.exe 1936 Ncjcnfcn.exe 2436 Olgehh32.exe 2440 Obamebfc.exe 2352 Ohqbbi32.exe 1716 Obffpa32.exe 2716 Phelnhnb.exe 1588 Panpgn32.exe 2016 Piiekp32.exe 2896 Pfmeddag.exe 2668 Plljbkml.exe 2960 Pfaopc32.exe 2820 Qbhpddbf.exe 2616 Qbkljd32.exe 2392 Alcqcjgd.exe 2620 Aodjdede.exe 2972 Akjjifji.exe 2912 Agakog32.exe 1528 Apllml32.exe 1576 Bjdqfajl.exe 840 Bapejd32.exe 2444 Bhljlnma.exe 2184 Bfpkfb32.exe 2424 Bohoogbk.exe 3060 Bgcdcjpf.exe 1096 Ccjehkek.exe 1520 Cqneaodd.exe 2968 Cjfjjd32.exe 3032 Cconcjae.exe 2564 Cqcomn32.exe 1636 Cklpml32.exe 2428 Dkolblkk.exe 2860 Dicmlpje.exe 2932 Dieiap32.exe 2748 Dapnfb32.exe 2708 Dabkla32.exe 108 Dfpcdh32.exe 2404 Ephhmn32.exe 3012 Epjdbn32.exe 1084 Ejpipf32.exe 1604 Edhmhl32.exe 1396 Eoanij32.exe 2088 Eelfedpa.exe 2368 Eenckc32.exe 2180 Fbbcdh32.exe -
Loads dropped DLL 64 IoCs
pid Process 560 122209b68eea2d3a7c5b43671ba317d0N.exe 560 122209b68eea2d3a7c5b43671ba317d0N.exe 1972 Ggeiooea.exe 1972 Ggeiooea.exe 2880 Hmdnme32.exe 2880 Hmdnme32.exe 2372 Hjhofj32.exe 2372 Hjhofj32.exe 2104 Hqkmahpp.exe 2104 Hqkmahpp.exe 2648 Iamjghnm.exe 2648 Iamjghnm.exe 1308 Imkqmh32.exe 1308 Imkqmh32.exe 2052 Jehbfjia.exe 2052 Jehbfjia.exe 1692 Jemkai32.exe 1692 Jemkai32.exe 2700 Jmhpfl32.exe 2700 Jmhpfl32.exe 3008 Kmpfgklo.exe 3008 Kmpfgklo.exe 956 Kekkkm32.exe 956 Kekkkm32.exe 1820 Leaallcb.exe 1820 Leaallcb.exe 1736 Lkoidcaj.exe 1736 Lkoidcaj.exe 1652 Lcnhcdkp.exe 1652 Lcnhcdkp.exe 2456 Lcqdidim.exe 2456 Lcqdidim.exe 1704 Mkqbhf32.exe 1704 Mkqbhf32.exe 2288 Mmpobi32.exe 2288 Mmpobi32.exe 1832 Nqbdllld.exe 1832 Nqbdllld.exe 1792 Nbaafocg.exe 1792 Nbaafocg.exe 2532 Nnknqpgi.exe 2532 Nnknqpgi.exe 1936 Ncjcnfcn.exe 1936 Ncjcnfcn.exe 2436 Olgehh32.exe 2436 Olgehh32.exe 2440 Obamebfc.exe 2440 Obamebfc.exe 2352 Ohqbbi32.exe 2352 Ohqbbi32.exe 1716 Obffpa32.exe 1716 Obffpa32.exe 2716 Phelnhnb.exe 2716 Phelnhnb.exe 1588 Panpgn32.exe 1588 Panpgn32.exe 2016 Piiekp32.exe 2016 Piiekp32.exe 2896 Pfmeddag.exe 2896 Pfmeddag.exe 2668 Plljbkml.exe 2668 Plljbkml.exe 2960 Pfaopc32.exe 2960 Pfaopc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mhgbpb32.exe Mlqakaqi.exe File created C:\Windows\SysWOW64\Okomappb.exe Oeeeeehe.exe File created C:\Windows\SysWOW64\Pqdend32.exe Pgkqeo32.exe File opened for modification C:\Windows\SysWOW64\Ehkgnpbe.exe Dhcanahm.exe File opened for modification C:\Windows\SysWOW64\Lmcfeh32.exe Ldhaaefi.exe File created C:\Windows\SysWOW64\Gldgomqc.dll Hjjknfin.exe File created C:\Windows\SysWOW64\Leaallcb.exe Kekkkm32.exe File created C:\Windows\SysWOW64\Dkohanoc.exe Dklkkoqf.exe File created C:\Windows\SysWOW64\Hnnoempk.exe Gefjlg32.exe File opened for modification C:\Windows\SysWOW64\Paclje32.exe Pjicnlqe.exe File created C:\Windows\SysWOW64\Ppencmog.dll Panpgn32.exe File created C:\Windows\SysWOW64\Mpkehbjm.exe Mphhbblp.exe File created C:\Windows\SysWOW64\Dfqjible.exe Deanooeb.exe File opened for modification C:\Windows\SysWOW64\Obffpa32.exe Ohqbbi32.exe File created C:\Windows\SysWOW64\Hdmjfi32.dll Bpdkajic.exe File opened for modification C:\Windows\SysWOW64\Hlgodgnk.exe Hbmnfajm.exe File created C:\Windows\SysWOW64\Khlhiijk.exe Jgllof32.exe File opened for modification C:\Windows\SysWOW64\Jkhjin32.exe Joajdmma.exe File opened for modification C:\Windows\SysWOW64\Lhaqld32.exe Lgadba32.exe File opened for modification C:\Windows\SysWOW64\Bpdkajic.exe Bglghdbc.exe File opened for modification C:\Windows\SysWOW64\Eomfiobe.exe Efeaqi32.exe File created C:\Windows\SysWOW64\Nfgbjc32.dll Dnoqbi32.exe File opened for modification C:\Windows\SysWOW64\Jbpcgo32.exe Jficbn32.exe File created C:\Windows\SysWOW64\Pkdicckk.dll Cnekcblk.exe File opened for modification C:\Windows\SysWOW64\Lkdmneoo.exe Liddljan.exe File opened for modification C:\Windows\SysWOW64\Cjbccb32.exe Cnlcoage.exe File created C:\Windows\SysWOW64\Ioeaeolo.exe Ielllj32.exe File created C:\Windows\SysWOW64\Fhdbgqke.dll Nppceo32.exe File created C:\Windows\SysWOW64\Cenhfqle.exe Cocpjf32.exe File created C:\Windows\SysWOW64\Jaklei32.exe Jedlph32.exe File created C:\Windows\SysWOW64\Akjjifji.exe Aodjdede.exe File created C:\Windows\SysWOW64\Nabhaq32.dll Pdlmnm32.exe File created C:\Windows\SysWOW64\Gkjbcl32.exe Gnfajgbg.exe File opened for modification C:\Windows\SysWOW64\Gddppp32.exe Gogggi32.exe File created C:\Windows\SysWOW64\Napibq32.exe Nhhdiknb.exe File created C:\Windows\SysWOW64\Mhidjd32.dll Ndclpb32.exe File created C:\Windows\SysWOW64\Iniebmfg.exe Idqpjg32.exe File opened for modification C:\Windows\SysWOW64\Legohm32.exe Llojpghe.exe File opened for modification C:\Windows\SysWOW64\Fffckf32.exe Fmnoapba.exe File created C:\Windows\SysWOW64\Ocbbbd32.exe Ogkbmcba.exe File created C:\Windows\SysWOW64\Phfjkcad.dll Lhclfphg.exe File created C:\Windows\SysWOW64\Hngbhp32.exe Hhkjpi32.exe File created C:\Windows\SysWOW64\Olgehh32.exe Ncjcnfcn.exe File created C:\Windows\SysWOW64\Jjjfbikh.exe Jabajc32.exe File created C:\Windows\SysWOW64\Chkgnh32.dll Nahemf32.exe File created C:\Windows\SysWOW64\Qmpafnld.exe Qcgmnh32.exe File created C:\Windows\SysWOW64\Aqdenj32.dll Pbnfdpge.exe File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe Mmpobi32.exe File created C:\Windows\SysWOW64\Aandhbgj.dll Kjopnh32.exe File created C:\Windows\SysWOW64\Jdaclb32.dll Bmfdfpih.exe File created C:\Windows\SysWOW64\Ocmfdj32.dll Jehbfjia.exe File opened for modification C:\Windows\SysWOW64\Indkgm32.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Heglgdeb.dll Indkgm32.exe File created C:\Windows\SysWOW64\Eogckqkk.exe Efoobkej.exe File created C:\Windows\SysWOW64\Dieiap32.exe Dicmlpje.exe File opened for modification C:\Windows\SysWOW64\Pghmeikh.exe Pjdlkeln.exe File created C:\Windows\SysWOW64\Bmfjmn32.dll Bjqjoolp.exe File created C:\Windows\SysWOW64\Ghbode32.dll Akjjifji.exe File opened for modification C:\Windows\SysWOW64\Gmejdm32.exe Gpaikiig.exe File created C:\Windows\SysWOW64\Jchjqc32.exe Jjpehn32.exe File created C:\Windows\SysWOW64\Glclampi.dll Dqiakm32.exe File opened for modification C:\Windows\SysWOW64\Noepfkgh.exe Ngikaijm.exe File created C:\Windows\SysWOW64\Llomka32.dll Qakkncmi.exe File created C:\Windows\SysWOW64\Odhomb32.dll Fgpqnpjh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3888 1832 WerFault.exe 666 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpodhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnomfqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmaphdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgqbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjjofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neaehelb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcjldbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagakhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boblbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okomappb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhcmig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnmda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmcmcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alicahno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdiknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opllclcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbchfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqcomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmejdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khakhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofqhdnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napibq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhadhakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdqfajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beignlig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaikiig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafdbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnoempk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eickdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddlggin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olcoaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikkfilp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpdficc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbhno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ielllj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaejfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgebcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahbem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqpdgni.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmejdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlmnfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihopjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlndj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhpbcdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijolpgjc.dll" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjimefie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfehhmgp.dll" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noojfpbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okmceiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aodjdede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chickknc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgodiaaa.dll" Mmlfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiahe32.dll" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egmeadbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnlnnim.dll" Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicmee32.dll" Aclfigao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alicahno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpenkgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghplofkf.dll" Fhfbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbcjebh.dll" Jodmdboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbifo32.dll" Piaiko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjjifji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomfiobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocpjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejpipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelfedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngcnpkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhomb32.dll" Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnjaegb.dll" Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlfolad.dll" Gfnpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khmamhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamfd32.dll" Cocpjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obogji32.dll" Nffenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hniaeb32.dll" Aeikohgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfeebf32.dll" Iiablido.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldhaaefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchmblji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpoleilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooiml32.dll" Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beojma32.dll" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khmamhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edanqnba.dll" Aqcmkjje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfhfjgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfffhk32.dll" Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjknab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbpaef32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 1972 560 122209b68eea2d3a7c5b43671ba317d0N.exe 29 PID 560 wrote to memory of 1972 560 122209b68eea2d3a7c5b43671ba317d0N.exe 29 PID 560 wrote to memory of 1972 560 122209b68eea2d3a7c5b43671ba317d0N.exe 29 PID 560 wrote to memory of 1972 560 122209b68eea2d3a7c5b43671ba317d0N.exe 29 PID 1972 wrote to memory of 2880 1972 Ggeiooea.exe 30 PID 1972 wrote to memory of 2880 1972 Ggeiooea.exe 30 PID 1972 wrote to memory of 2880 1972 Ggeiooea.exe 30 PID 1972 wrote to memory of 2880 1972 Ggeiooea.exe 30 PID 2880 wrote to memory of 2372 2880 Hmdnme32.exe 31 PID 2880 wrote to memory of 2372 2880 Hmdnme32.exe 31 PID 2880 wrote to memory of 2372 2880 Hmdnme32.exe 31 PID 2880 wrote to memory of 2372 2880 Hmdnme32.exe 31 PID 2372 wrote to memory of 2104 2372 Hjhofj32.exe 32 PID 2372 wrote to memory of 2104 2372 Hjhofj32.exe 32 PID 2372 wrote to memory of 2104 2372 Hjhofj32.exe 32 PID 2372 wrote to memory of 2104 2372 Hjhofj32.exe 32 PID 2104 wrote to memory of 2648 2104 Hqkmahpp.exe 33 PID 2104 wrote to memory of 2648 2104 Hqkmahpp.exe 33 PID 2104 wrote to memory of 2648 2104 Hqkmahpp.exe 33 PID 2104 wrote to memory of 2648 2104 Hqkmahpp.exe 33 PID 2648 wrote to memory of 1308 2648 Iamjghnm.exe 34 PID 2648 wrote to memory of 1308 2648 Iamjghnm.exe 34 PID 2648 wrote to memory of 1308 2648 Iamjghnm.exe 34 PID 2648 wrote to memory of 1308 2648 Iamjghnm.exe 34 PID 1308 wrote to memory of 2052 1308 Imkqmh32.exe 35 PID 1308 wrote to memory of 2052 1308 Imkqmh32.exe 35 PID 1308 wrote to memory of 2052 1308 Imkqmh32.exe 35 PID 1308 wrote to memory of 2052 1308 Imkqmh32.exe 35 PID 2052 wrote to memory of 1692 2052 Jehbfjia.exe 36 PID 2052 wrote to memory of 1692 2052 Jehbfjia.exe 36 PID 2052 wrote to memory of 1692 2052 Jehbfjia.exe 36 PID 2052 wrote to memory of 1692 2052 Jehbfjia.exe 36 PID 1692 wrote to memory of 2700 1692 Jemkai32.exe 37 PID 1692 wrote to memory of 2700 1692 Jemkai32.exe 37 PID 1692 wrote to memory of 2700 1692 Jemkai32.exe 37 PID 1692 wrote to memory of 2700 1692 Jemkai32.exe 37 PID 2700 wrote to memory of 3008 2700 Jmhpfl32.exe 38 PID 2700 wrote to memory of 3008 2700 Jmhpfl32.exe 38 PID 2700 wrote to memory of 3008 2700 Jmhpfl32.exe 38 PID 2700 wrote to memory of 3008 2700 Jmhpfl32.exe 38 PID 3008 wrote to memory of 956 3008 Kmpfgklo.exe 39 PID 3008 wrote to memory of 956 3008 Kmpfgklo.exe 39 PID 3008 wrote to memory of 956 3008 Kmpfgklo.exe 39 PID 3008 wrote to memory of 956 3008 Kmpfgklo.exe 39 PID 956 wrote to memory of 1820 956 Kekkkm32.exe 40 PID 956 wrote to memory of 1820 956 Kekkkm32.exe 40 PID 956 wrote to memory of 1820 956 Kekkkm32.exe 40 PID 956 wrote to memory of 1820 956 Kekkkm32.exe 40 PID 1820 wrote to memory of 1736 1820 Leaallcb.exe 41 PID 1820 wrote to memory of 1736 1820 Leaallcb.exe 41 PID 1820 wrote to memory of 1736 1820 Leaallcb.exe 41 PID 1820 wrote to memory of 1736 1820 Leaallcb.exe 41 PID 1736 wrote to memory of 1652 1736 Lkoidcaj.exe 42 PID 1736 wrote to memory of 1652 1736 Lkoidcaj.exe 42 PID 1736 wrote to memory of 1652 1736 Lkoidcaj.exe 42 PID 1736 wrote to memory of 1652 1736 Lkoidcaj.exe 42 PID 1652 wrote to memory of 2456 1652 Lcnhcdkp.exe 43 PID 1652 wrote to memory of 2456 1652 Lcnhcdkp.exe 43 PID 1652 wrote to memory of 2456 1652 Lcnhcdkp.exe 43 PID 1652 wrote to memory of 2456 1652 Lcnhcdkp.exe 43 PID 2456 wrote to memory of 1704 2456 Lcqdidim.exe 44 PID 2456 wrote to memory of 1704 2456 Lcqdidim.exe 44 PID 2456 wrote to memory of 1704 2456 Lcqdidim.exe 44 PID 2456 wrote to memory of 1704 2456 Lcqdidim.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\122209b68eea2d3a7c5b43671ba317d0N.exe"C:\Users\Admin\AppData\Local\Temp\122209b68eea2d3a7c5b43671ba317d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Ggeiooea.exeC:\Windows\system32\Ggeiooea.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Iamjghnm.exeC:\Windows\system32\Iamjghnm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Mmpobi32.exeC:\Windows\system32\Mmpobi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Olgehh32.exeC:\Windows\system32\Olgehh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe34⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe35⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe38⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe39⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe41⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe42⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe43⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe44⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe46⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe47⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe49⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe51⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe52⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe55⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe57⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe58⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe59⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe61⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe66⤵PID:2516
-
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe67⤵PID:2512
-
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe68⤵PID:948
-
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe70⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe71⤵PID:2832
-
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe72⤵PID:2800
-
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe73⤵PID:2612
-
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe74⤵PID:2080
-
C:\Windows\SysWOW64\Nlhnfg32.exeC:\Windows\system32\Nlhnfg32.exe75⤵PID:1612
-
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe76⤵PID:360
-
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe77⤵PID:2464
-
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe78⤵PID:2040
-
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe79⤵PID:572
-
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe80⤵PID:1628
-
C:\Windows\SysWOW64\Oqomkimg.exeC:\Windows\system32\Oqomkimg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe82⤵PID:1928
-
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe83⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe84⤵PID:2340
-
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe85⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe86⤵PID:960
-
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe87⤵PID:2824
-
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe88⤵PID:2680
-
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe89⤵PID:916
-
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe90⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe93⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Pddlggin.exeC:\Windows\system32\Pddlggin.exe94⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Qahlpkhh.exeC:\Windows\system32\Qahlpkhh.exe95⤵PID:2448
-
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe96⤵PID:1988
-
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe97⤵PID:1536
-
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe98⤵PID:1140
-
C:\Windows\SysWOW64\Akejdp32.exeC:\Windows\system32\Akejdp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe100⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe102⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe103⤵PID:2320
-
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe104⤵PID:1740
-
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe105⤵PID:2956
-
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe107⤵PID:2964
-
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe108⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe109⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe110⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe111⤵PID:1072
-
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe112⤵PID:2556
-
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe113⤵PID:2844
-
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe114⤵
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe115⤵PID:480
-
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe116⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe117⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe118⤵PID:2272
-
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe119⤵PID:2064
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe121⤵PID:2732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-