Analysis
-
max time kernel
39s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 10:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90a20c2834986e5c8cbfaf48e8982880N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
90a20c2834986e5c8cbfaf48e8982880N.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
90a20c2834986e5c8cbfaf48e8982880N.exe
-
Size
94KB
-
MD5
90a20c2834986e5c8cbfaf48e8982880
-
SHA1
859efb3c4386ded5f1ecefaf1b0d4693697a2775
-
SHA256
942c0a90df9bb362dd7c6c213f78026a940a98fc498ca21846f3990fe3f230a5
-
SHA512
72ff13f2bbc37c6a62cc1696a02e8e2ba917e0cdd4c96f71f2425cacba27d7634a6e3f63efb2be96ee0a5dc54dd7d2cb3b34deb26c8f350ba161492a00607166
-
SSDEEP
1536:G2DYEnHHLSBLentXQ/8rnAztjwAiYgZFeki6Da4rz/m7BR9L4DT2EnINs:9VnnQLeJQ2nAxjq/Tzu6+ob
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phibbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiioanpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmiqlpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlbcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbhkdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjbljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odiagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnfnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbfidfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famhqclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocedieek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejcnlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaklei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jelbqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aebllocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgnbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlhamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlodma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clnmmlkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjaejbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceenilo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglimm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhplaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenhfqle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaklei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 90a20c2834986e5c8cbfaf48e8982880N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goadik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedlph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbkgjgqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beibln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjhgjdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cboljemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgfkoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ellfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khgnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olklmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clgpckcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjpcmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfcei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqpgblqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjhcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcaankpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgojdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plnhbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edgkap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqenfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabbehjb.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Oefqlmpq.exe 2320 Odiagj32.exe 2724 Oamaan32.exe 2672 Ohginhma.exe 2772 Ooabjbdn.exe 2468 Oaonfncb.exe 108 Ohifch32.exe 952 Oijbkpqm.exe 2428 Oaaklmao.exe 556 Occgce32.exe 2888 Oimpppoj.exe 2924 Olklmk32.exe 3008 Ocedieek.exe 1368 Oecpeqdo.exe 2420 Plnhbk32.exe 2120 Poldnf32.exe 2140 Pefmkpbl.exe 2956 Phdiglap.exe 1912 Ppkahi32.exe 1480 Pcjmdd32.exe 916 Pehiqp32.exe 2528 Phgfmk32.exe 1472 Pkebig32.exe 1776 Pcljjd32.exe 1524 Pdnfalea.exe 2660 Phibbk32.exe 2676 Pockoeeg.exe 2836 Pnfkjb32.exe 2728 Pgnpcg32.exe 2776 Pnhhpaio.exe 2680 Padcqp32.exe 808 Pqfdlmic.exe 1744 Qjoheb32.exe 2296 Qbfqfppe.exe 2940 Qddmbkoi.exe 2820 Qgcingnm.exe 2892 Qjaejbmq.exe 2944 Aqkmgl32.exe 1324 Afhfpc32.exe 3068 Aqnjml32.exe 2100 Aggbif32.exe 2380 Aiioanpf.exe 1996 Aqpgblqh.exe 392 Abacjd32.exe 1048 Aikkgnnc.exe 588 Akjhcimg.exe 2304 Acqpdgni.exe 1992 Aebllocg.exe 2376 Ainhln32.exe 2396 Akldhi32.exe 2852 Aogqihcm.exe 2116 Abfmecba.exe 2620 Afaieb32.exe 2172 Bgbemjqh.exe 2388 Bojmogak.exe 1904 Bbhikcpn.exe 1648 Begegn32.exe 1640 Bibagmhk.exe 1288 Bkqnchgo.exe 1604 Bnojpdfb.exe 2416 Bbkfpb32.exe 2352 Beibln32.exe 2968 Bggohi32.exe 936 Bjfkde32.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 90a20c2834986e5c8cbfaf48e8982880N.exe 2256 90a20c2834986e5c8cbfaf48e8982880N.exe 2756 Oefqlmpq.exe 2756 Oefqlmpq.exe 2320 Odiagj32.exe 2320 Odiagj32.exe 2724 Oamaan32.exe 2724 Oamaan32.exe 2672 Ohginhma.exe 2672 Ohginhma.exe 2772 Ooabjbdn.exe 2772 Ooabjbdn.exe 2468 Oaonfncb.exe 2468 Oaonfncb.exe 108 Ohifch32.exe 108 Ohifch32.exe 952 Oijbkpqm.exe 952 Oijbkpqm.exe 2428 Oaaklmao.exe 2428 Oaaklmao.exe 556 Occgce32.exe 556 Occgce32.exe 2888 Oimpppoj.exe 2888 Oimpppoj.exe 2924 Olklmk32.exe 2924 Olklmk32.exe 3008 Ocedieek.exe 3008 Ocedieek.exe 1368 Oecpeqdo.exe 1368 Oecpeqdo.exe 2420 Plnhbk32.exe 2420 Plnhbk32.exe 2120 Poldnf32.exe 2120 Poldnf32.exe 2140 Pefmkpbl.exe 2140 Pefmkpbl.exe 2956 Phdiglap.exe 2956 Phdiglap.exe 1912 Ppkahi32.exe 1912 Ppkahi32.exe 1480 Pcjmdd32.exe 1480 Pcjmdd32.exe 916 Pehiqp32.exe 916 Pehiqp32.exe 2528 Phgfmk32.exe 2528 Phgfmk32.exe 1472 Pkebig32.exe 1472 Pkebig32.exe 1776 Pcljjd32.exe 1776 Pcljjd32.exe 1524 Pdnfalea.exe 1524 Pdnfalea.exe 2660 Phibbk32.exe 2660 Phibbk32.exe 2676 Pockoeeg.exe 2676 Pockoeeg.exe 2836 Pnfkjb32.exe 2836 Pnfkjb32.exe 2728 Pgnpcg32.exe 2728 Pgnpcg32.exe 2776 Pnhhpaio.exe 2776 Pnhhpaio.exe 2680 Padcqp32.exe 2680 Padcqp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nopdke32.dll Clnmmlkm.exe File created C:\Windows\SysWOW64\Gbpaef32.exe Goadik32.exe File opened for modification C:\Windows\SysWOW64\Iopqoi32.exe Ijddokdo.exe File opened for modification C:\Windows\SysWOW64\Ihhehoci.exe Ipqmgbbf.exe File created C:\Windows\SysWOW64\Jkdanngk.exe Jhedachg.exe File created C:\Windows\SysWOW64\Bjmodd32.dll Jkfncn32.exe File created C:\Windows\SysWOW64\Bndckc32.exe Bjhgjdjd.exe File created C:\Windows\SysWOW64\Dmbpaa32.exe Difcpc32.exe File opened for modification C:\Windows\SysWOW64\Oaonfncb.exe Ooabjbdn.exe File created C:\Windows\SysWOW64\Fhkmjj32.dll Fcaankpf.exe File created C:\Windows\SysWOW64\Fjmfpe32.exe Fgojdj32.exe File opened for modification C:\Windows\SysWOW64\Phgfmk32.exe Pehiqp32.exe File created C:\Windows\SysWOW64\Ajgnidjl.dll Aogqihcm.exe File opened for modification C:\Windows\SysWOW64\Lbbodk32.exe Lodbhp32.exe File created C:\Windows\SysWOW64\Oaaklmao.exe Oijbkpqm.exe File created C:\Windows\SysWOW64\Cipaqqli.exe Cjmaed32.exe File opened for modification C:\Windows\SysWOW64\Fiepga32.exe Fbkgjgqi.exe File created C:\Windows\SysWOW64\Gkjbcl32.exe Ggofcmih.exe File opened for modification C:\Windows\SysWOW64\Hfkidh32.exe Hbomdjoo.exe File created C:\Windows\SysWOW64\Fgfemm32.dll Pockoeeg.exe File created C:\Windows\SysWOW64\Aebllocg.exe Acqpdgni.exe File opened for modification C:\Windows\SysWOW64\Bcqlcj32.exe Babpgo32.exe File opened for modification C:\Windows\SysWOW64\Eebnqcjl.exe Eccadhkh.exe File created C:\Windows\SysWOW64\Iilndc32.dll Jaklei32.exe File created C:\Windows\SysWOW64\Hcahjo32.dll Pefmkpbl.exe File created C:\Windows\SysWOW64\Afpmipib.dll Hmeaaboe.exe File opened for modification C:\Windows\SysWOW64\Kooimpao.exe Kpliac32.exe File created C:\Windows\SysWOW64\Ekhnoc32.dll Llefld32.exe File opened for modification C:\Windows\SysWOW64\Ckjqog32.exe Clgpckcb.exe File opened for modification C:\Windows\SysWOW64\Ddeammok.exe Dpifln32.exe File opened for modification C:\Windows\SysWOW64\Eepakc32.exe Ecaeoh32.exe File created C:\Windows\SysWOW64\Fhbcaa32.exe Fjpbeecn.exe File created C:\Windows\SysWOW64\Aanjeokl.dll Fhbcaa32.exe File created C:\Windows\SysWOW64\Hffpiikm.exe Hchcmnlj.exe File created C:\Windows\SysWOW64\Pdnfalea.exe Pcljjd32.exe File opened for modification C:\Windows\SysWOW64\Acqpdgni.exe Akjhcimg.exe File opened for modification C:\Windows\SysWOW64\Eemded32.exe Doclijgd.exe File created C:\Windows\SysWOW64\Pnfkjb32.exe Pockoeeg.exe File created C:\Windows\SysWOW64\Hqepgl32.dll Cbfidfem.exe File created C:\Windows\SysWOW64\Ehpjmoio.exe Eebnqcjl.exe File created C:\Windows\SysWOW64\Kooimpao.exe Kpliac32.exe File created C:\Windows\SysWOW64\Qpojak32.dll Phgfmk32.exe File created C:\Windows\SysWOW64\Bdpaan32.dll Cekkaanh.exe File created C:\Windows\SysWOW64\Neknnm32.dll Fdnabo32.exe File opened for modification C:\Windows\SysWOW64\Aikkgnnc.exe Abacjd32.exe File created C:\Windows\SysWOW64\Qgcingnm.exe Qddmbkoi.exe File opened for modification C:\Windows\SysWOW64\Knlpphnd.exe Kjpdoj32.exe File created C:\Windows\SysWOW64\Phegmipo.dll Pdnfalea.exe File created C:\Windows\SysWOW64\Afaieb32.exe Abfmecba.exe File created C:\Windows\SysWOW64\Bfmlif32.exe Bekobn32.exe File opened for modification C:\Windows\SysWOW64\Gfippego.exe Gbmdpg32.exe File created C:\Windows\SysWOW64\Bnojpdfb.exe Bkqnchgo.exe File opened for modification C:\Windows\SysWOW64\Cbfidfem.exe Badlln32.exe File opened for modification C:\Windows\SysWOW64\Enblpe32.exe Ejfpofkh.exe File opened for modification C:\Windows\SysWOW64\Hbajjiml.exe Hnfnik32.exe File created C:\Windows\SysWOW64\Ibfcei32.exe Inkgdjqn.exe File created C:\Windows\SysWOW64\Ikhndk32.dll Ihehbpel.exe File opened for modification C:\Windows\SysWOW64\Kgoknohj.exe Khlkba32.exe File created C:\Windows\SysWOW64\Colpkh32.dll Bmiqlpge.exe File opened for modification C:\Windows\SysWOW64\Cjmaed32.exe Cbfidfem.exe File created C:\Windows\SysWOW64\Gglimm32.exe Genmab32.exe File created C:\Windows\SysWOW64\Hbajjiml.exe Hnfnik32.exe File opened for modification C:\Windows\SysWOW64\Imbakfcc.exe Iopqoi32.exe File created C:\Windows\SysWOW64\Kkpcjmne.dll Hchcmnlj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4384 4360 WerFault.exe 333 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqnchgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnfalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpifln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccadhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfkidh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbfqfppe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coofoghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folknlae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjpmqjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjlldmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehiqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjimefie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poldnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbeapqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfekdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpbeecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epchbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnkejeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieglfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqlcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiipfbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeaaboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgedkko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cboljemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddeammok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdfoiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbodk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdiglap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcodhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkgjgqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpecad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjdpdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddmbkoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqnjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqpgblqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Begegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcnihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimpppoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghcckld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffdgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdanngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcajekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmbeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhfhaea.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oefqlmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcflbpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omahjkbe.dll" Dgfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lileonpo.dll" Fjimefie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgfkoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edgkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjmfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himgmapn.dll" Oijbkpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iopqoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqnjml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbpaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffoehg32.dll" Ipqmgbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifhnk32.dll" Padcqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocg32.dll" Hlhamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Difcpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpliac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamfd32.dll" Cboljemb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqenfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abfmecba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjdqigf.dll" Dmbpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijfadkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addgcj32.dll" Imgjfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogqihcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bndckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfcaoap.dll" Jeiekgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdhfnif.dll" Jkhjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daonhboj.dll" Haggkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloffcdo.dll" Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbcdfpo.dll" Ijddokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaklei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbifo32.dll" Ppkahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcljjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeiekgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkmdami.dll" Jinkkgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjehem32.dll" Jkdanngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkhfhaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Begegn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfiloiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hilbfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhobbqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmbpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhedachg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kabbehjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imbakfcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpjpmqjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcahjo32.dll" Pefmkpbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmbdm32.dll" Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqbaqccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlcmhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqpgblqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkahhl32.dll" Bojmogak.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2756 2256 90a20c2834986e5c8cbfaf48e8982880N.exe 29 PID 2256 wrote to memory of 2756 2256 90a20c2834986e5c8cbfaf48e8982880N.exe 29 PID 2256 wrote to memory of 2756 2256 90a20c2834986e5c8cbfaf48e8982880N.exe 29 PID 2256 wrote to memory of 2756 2256 90a20c2834986e5c8cbfaf48e8982880N.exe 29 PID 2756 wrote to memory of 2320 2756 Oefqlmpq.exe 30 PID 2756 wrote to memory of 2320 2756 Oefqlmpq.exe 30 PID 2756 wrote to memory of 2320 2756 Oefqlmpq.exe 30 PID 2756 wrote to memory of 2320 2756 Oefqlmpq.exe 30 PID 2320 wrote to memory of 2724 2320 Odiagj32.exe 31 PID 2320 wrote to memory of 2724 2320 Odiagj32.exe 31 PID 2320 wrote to memory of 2724 2320 Odiagj32.exe 31 PID 2320 wrote to memory of 2724 2320 Odiagj32.exe 31 PID 2724 wrote to memory of 2672 2724 Oamaan32.exe 32 PID 2724 wrote to memory of 2672 2724 Oamaan32.exe 32 PID 2724 wrote to memory of 2672 2724 Oamaan32.exe 32 PID 2724 wrote to memory of 2672 2724 Oamaan32.exe 32 PID 2672 wrote to memory of 2772 2672 Ohginhma.exe 33 PID 2672 wrote to memory of 2772 2672 Ohginhma.exe 33 PID 2672 wrote to memory of 2772 2672 Ohginhma.exe 33 PID 2672 wrote to memory of 2772 2672 Ohginhma.exe 33 PID 2772 wrote to memory of 2468 2772 Ooabjbdn.exe 34 PID 2772 wrote to memory of 2468 2772 Ooabjbdn.exe 34 PID 2772 wrote to memory of 2468 2772 Ooabjbdn.exe 34 PID 2772 wrote to memory of 2468 2772 Ooabjbdn.exe 34 PID 2468 wrote to memory of 108 2468 Oaonfncb.exe 35 PID 2468 wrote to memory of 108 2468 Oaonfncb.exe 35 PID 2468 wrote to memory of 108 2468 Oaonfncb.exe 35 PID 2468 wrote to memory of 108 2468 Oaonfncb.exe 35 PID 108 wrote to memory of 952 108 Ohifch32.exe 36 PID 108 wrote to memory of 952 108 Ohifch32.exe 36 PID 108 wrote to memory of 952 108 Ohifch32.exe 36 PID 108 wrote to memory of 952 108 Ohifch32.exe 36 PID 952 wrote to memory of 2428 952 Oijbkpqm.exe 37 PID 952 wrote to memory of 2428 952 Oijbkpqm.exe 37 PID 952 wrote to memory of 2428 952 Oijbkpqm.exe 37 PID 952 wrote to memory of 2428 952 Oijbkpqm.exe 37 PID 2428 wrote to memory of 556 2428 Oaaklmao.exe 38 PID 2428 wrote to memory of 556 2428 Oaaklmao.exe 38 PID 2428 wrote to memory of 556 2428 Oaaklmao.exe 38 PID 2428 wrote to memory of 556 2428 Oaaklmao.exe 38 PID 556 wrote to memory of 2888 556 Occgce32.exe 39 PID 556 wrote to memory of 2888 556 Occgce32.exe 39 PID 556 wrote to memory of 2888 556 Occgce32.exe 39 PID 556 wrote to memory of 2888 556 Occgce32.exe 39 PID 2888 wrote to memory of 2924 2888 Oimpppoj.exe 40 PID 2888 wrote to memory of 2924 2888 Oimpppoj.exe 40 PID 2888 wrote to memory of 2924 2888 Oimpppoj.exe 40 PID 2888 wrote to memory of 2924 2888 Oimpppoj.exe 40 PID 2924 wrote to memory of 3008 2924 Olklmk32.exe 41 PID 2924 wrote to memory of 3008 2924 Olklmk32.exe 41 PID 2924 wrote to memory of 3008 2924 Olklmk32.exe 41 PID 2924 wrote to memory of 3008 2924 Olklmk32.exe 41 PID 3008 wrote to memory of 1368 3008 Ocedieek.exe 42 PID 3008 wrote to memory of 1368 3008 Ocedieek.exe 42 PID 3008 wrote to memory of 1368 3008 Ocedieek.exe 42 PID 3008 wrote to memory of 1368 3008 Ocedieek.exe 42 PID 1368 wrote to memory of 2420 1368 Oecpeqdo.exe 43 PID 1368 wrote to memory of 2420 1368 Oecpeqdo.exe 43 PID 1368 wrote to memory of 2420 1368 Oecpeqdo.exe 43 PID 1368 wrote to memory of 2420 1368 Oecpeqdo.exe 43 PID 2420 wrote to memory of 2120 2420 Plnhbk32.exe 44 PID 2420 wrote to memory of 2120 2420 Plnhbk32.exe 44 PID 2420 wrote to memory of 2120 2420 Plnhbk32.exe 44 PID 2420 wrote to memory of 2120 2420 Plnhbk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a20c2834986e5c8cbfaf48e8982880N.exe"C:\Users\Admin\AppData\Local\Temp\90a20c2834986e5c8cbfaf48e8982880N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Oefqlmpq.exeC:\Windows\system32\Oefqlmpq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Oamaan32.exeC:\Windows\system32\Oamaan32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ohginhma.exeC:\Windows\system32\Ohginhma.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Pdnfalea.exeC:\Windows\system32\Pdnfalea.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe33⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe34⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe37⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe40⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe42⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe46⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Acqpdgni.exeC:\Windows\system32\Acqpdgni.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe50⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe51⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe55⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe57⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe59⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bkqnchgo.exeC:\Windows\system32\Bkqnchgo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe61⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe62⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe65⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe66⤵PID:1512
-
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe67⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe68⤵PID:3044
-
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe70⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Babpgo32.exeC:\Windows\system32\Babpgo32.exe71⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe73⤵PID:440
-
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe74⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Bmiqlpge.exeC:\Windows\system32\Bmiqlpge.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe76⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Cipaqqli.exeC:\Windows\system32\Cipaqqli.exe79⤵PID:2964
-
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Cceenilo.exeC:\Windows\system32\Cceenilo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe82⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe83⤵PID:2792
-
C:\Windows\SysWOW64\Clqjblij.exeC:\Windows\system32\Clqjblij.exe84⤵PID:2764
-
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe85⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe86⤵PID:2604
-
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe87⤵PID:2908
-
C:\Windows\SysWOW64\Cidklp32.exeC:\Windows\system32\Cidklp32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Cpnchjpa.exeC:\Windows\system32\Cpnchjpa.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe90⤵PID:2084
-
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe91⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe92⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe93⤵PID:1636
-
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe94⤵PID:2708
-
C:\Windows\SysWOW64\Cboljemb.exeC:\Windows\system32\Cboljemb.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cenhfqle.exeC:\Windows\system32\Cenhfqle.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe97⤵PID:2000
-
C:\Windows\SysWOW64\Clgpckcb.exeC:\Windows\system32\Clgpckcb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe99⤵PID:3016
-
C:\Windows\SysWOW64\Dmimkc32.exeC:\Windows\system32\Dmimkc32.exe100⤵PID:2232
-
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe101⤵PID:956
-
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe102⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe103⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Dohiefpc.exeC:\Windows\system32\Dohiefpc.exe104⤵PID:1348
-
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Dpifln32.exeC:\Windows\system32\Dpifln32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Ddeammok.exeC:\Windows\system32\Ddeammok.exe107⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe108⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Dibjec32.exeC:\Windows\system32\Dibjec32.exe109⤵PID:2504
-
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe110⤵PID:2884
-
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe113⤵PID:1344
-
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:704 -
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe117⤵PID:2280
-
C:\Windows\SysWOW64\Difcpc32.exeC:\Windows\system32\Difcpc32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe119⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe120⤵PID:2912
-
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe121⤵
- Drops file in System32 directory
PID:1500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-