Analysis
-
max time kernel
138s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 22:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe
-
Size
45KB
-
MD5
3665e9a17ec1bb81b0f04ac5fe10001a
-
SHA1
03490d4d15fdb269327c8382dd841fc9d05fbbc8
-
SHA256
6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d
-
SHA512
deefae199befd9b6de9402186d45a5de93d862974d690e5e6a2b9851d7e7a81cc0beb70bc35b68d95aec8961c7fa95dabd174786bb9cfd31353be91da88aab9a
-
SSDEEP
768:zPLbRH98DyXLvA2ptS40jeZaAGd3ZG5uTpy4CTVrEmmNI8t+lmE2Qout/1H5iZ:zLd98ubvA2b0oCActGTZmNIXB9oQoZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiaddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelgkhdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahcoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccikghel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agikmeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjhippb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhombc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjleem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeejpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oogdiqki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgfcbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfqjible.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnegod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojpedn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boblbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiapjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiocdand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abqlpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbebjpaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjepib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdapoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eacnpoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhmblljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnigl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhombc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obngnphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlmcaijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjknfin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjing32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecejnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfoah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlppgihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnedpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biegpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmana32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjleem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpiobh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpdbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmjlfgml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boppmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjknfin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgklcaqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejqenmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhimaill.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnjbfqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhflg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diackmif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnpdaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiohob32.exe -
Executes dropped EXE 64 IoCs
pid Process 2256 Lhlgaedj.exe 2320 Lnipilbb.exe 1780 Lfpgkicd.exe 2816 Lgadba32.exe 1768 Lbghpjih.exe 1672 Lhaqld32.exe 2596 Lkomhp32.exe 1776 Lbieejff.exe 2876 Ldhaaefi.exe 2392 Lkainp32.exe 1052 Lmcfeh32.exe 2444 Mdjnge32.exe 2728 Mfkjnmje.exe 1984 Mnbbpkjg.exe 2524 Mqqolfik.exe 2180 Mgkghp32.exe 2196 Milcphgf.exe 2868 Mqckaf32.exe 1612 Mcagma32.exe 1008 Mjkpjkni.exe 2872 Mmjlfgml.exe 2724 Mphhbblp.exe 1968 Mbgdonkd.exe 688 Meeqkijg.exe 2072 Mmlilfkj.exe 2268 Mloigc32.exe 1648 Mbiadm32.exe 2812 Miciqgqn.exe 2744 Npmana32.exe 2824 Nbknjm32.exe 2900 Nannejni.exe 1168 Njfbno32.exe 2052 Nnboonmb.exe 3052 Nelgkhdp.exe 2632 Nhjcgccc.exe 1616 Nlfohb32.exe 932 Nmglpjak.exe 2848 Nacgpi32.exe 2640 Nfpphp32.exe 1644 Nphdaeol.exe 2996 Nhombc32.exe 2204 Njnion32.exe 2896 Npjage32.exe 2316 Ndfmgdeb.exe 856 Ojpedn32.exe 916 Oicfpkci.exe 580 Ofgfio32.exe 2964 Oejfelin.exe 264 Omqnfiip.exe 2176 Olcoaf32.exe 2676 Obngnphg.exe 2580 Oelcjkgk.exe 2712 Oigokj32.exe 2588 Ohjofgfo.exe 2652 Opaggdfa.exe 1636 Oodhca32.exe 304 Obpccped.exe 2328 Oabdol32.exe 1132 Oenppk32.exe 1712 Oijlpjma.exe 2040 Olhhmele.exe 2008 Okkhhb32.exe 1148 Oogdiqki.exe 2424 Oaeqeljm.exe -
Loads dropped DLL 64 IoCs
pid Process 1036 6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe 1036 6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe 2256 Lhlgaedj.exe 2256 Lhlgaedj.exe 2320 Lnipilbb.exe 2320 Lnipilbb.exe 1780 Lfpgkicd.exe 1780 Lfpgkicd.exe 2816 Lgadba32.exe 2816 Lgadba32.exe 1768 Lbghpjih.exe 1768 Lbghpjih.exe 1672 Lhaqld32.exe 1672 Lhaqld32.exe 2596 Lkomhp32.exe 2596 Lkomhp32.exe 1776 Lbieejff.exe 1776 Lbieejff.exe 2876 Ldhaaefi.exe 2876 Ldhaaefi.exe 2392 Lkainp32.exe 2392 Lkainp32.exe 1052 Lmcfeh32.exe 1052 Lmcfeh32.exe 2444 Mdjnge32.exe 2444 Mdjnge32.exe 2728 Mfkjnmje.exe 2728 Mfkjnmje.exe 1984 Mnbbpkjg.exe 1984 Mnbbpkjg.exe 2524 Mqqolfik.exe 2524 Mqqolfik.exe 2180 Mgkghp32.exe 2180 Mgkghp32.exe 2196 Milcphgf.exe 2196 Milcphgf.exe 2868 Mqckaf32.exe 2868 Mqckaf32.exe 1612 Mcagma32.exe 1612 Mcagma32.exe 1008 Mjkpjkni.exe 1008 Mjkpjkni.exe 2872 Mmjlfgml.exe 2872 Mmjlfgml.exe 2724 Mphhbblp.exe 2724 Mphhbblp.exe 1968 Mbgdonkd.exe 1968 Mbgdonkd.exe 688 Meeqkijg.exe 688 Meeqkijg.exe 2072 Mmlilfkj.exe 2072 Mmlilfkj.exe 2268 Mloigc32.exe 2268 Mloigc32.exe 1648 Mbiadm32.exe 1648 Mbiadm32.exe 2812 Miciqgqn.exe 2812 Miciqgqn.exe 2744 Npmana32.exe 2744 Npmana32.exe 2824 Nbknjm32.exe 2824 Nbknjm32.exe 2900 Nannejni.exe 2900 Nannejni.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlfpml32.dll Lfpgkicd.exe File created C:\Windows\SysWOW64\Plfhfiqc.exe Pncgjl32.exe File created C:\Windows\SysWOW64\Ajidnp32.exe Agkhbece.exe File created C:\Windows\SysWOW64\Abqlpn32.exe Ajidnp32.exe File opened for modification C:\Windows\SysWOW64\Icdllk32.exe Ipipllec.exe File opened for modification C:\Windows\SysWOW64\Bjcgdojn.exe Bblocaik.exe File created C:\Windows\SysWOW64\Dmcidqlf.exe Dkelhemb.exe File opened for modification C:\Windows\SysWOW64\Hjeacf32.exe Hggegknp.exe File opened for modification C:\Windows\SysWOW64\Meeqkijg.exe Mbgdonkd.exe File created C:\Windows\SysWOW64\Bijakkmc.exe Bfldopno.exe File opened for modification C:\Windows\SysWOW64\Dbihccpg.exe Dlppgihj.exe File created C:\Windows\SysWOW64\Kocmkdkp.dll Ecidbfbb.exe File created C:\Windows\SysWOW64\Klcofleb.dll Gbecce32.exe File created C:\Windows\SysWOW64\Eehkba32.dll Emjoep32.exe File opened for modification C:\Windows\SysWOW64\Gcbchhmc.exe Gmhkkn32.exe File opened for modification C:\Windows\SysWOW64\Lhaqld32.exe Lbghpjih.exe File created C:\Windows\SysWOW64\Qkpmkopd.dll Njfbno32.exe File created C:\Windows\SysWOW64\Nphdaeol.exe Nfpphp32.exe File created C:\Windows\SysWOW64\Oijlpjma.exe Oenppk32.exe File created C:\Windows\SysWOW64\Qjleem32.exe Pcbmhb32.exe File opened for modification C:\Windows\SysWOW64\Qkpnbdaf.exe Qlmnfh32.exe File created C:\Windows\SysWOW64\Mlgabfoe.dll Adoili32.exe File created C:\Windows\SysWOW64\Okmena32.exe Ohoiaf32.exe File created C:\Windows\SysWOW64\Mgkghp32.exe Mqqolfik.exe File created C:\Windows\SysWOW64\Pdgbkhca.dll Bfeonq32.exe File created C:\Windows\SysWOW64\Bimnqk32.exe Beaaplbg.exe File created C:\Windows\SysWOW64\Cnnpdaeb.exe Cjbccb32.exe File opened for modification C:\Windows\SysWOW64\Dbenhc32.exe Doibhekc.exe File opened for modification C:\Windows\SysWOW64\Dehdpnok.exe Dalhop32.exe File created C:\Windows\SysWOW64\Onmgbdea.dll Gcpfbhof.exe File created C:\Windows\SysWOW64\Hpjifj32.dll Bkdclgpl.exe File created C:\Windows\SysWOW64\Cehaip32.dll Dajkjphd.exe File created C:\Windows\SysWOW64\Jbkeilmm.dll Nannejni.exe File opened for modification C:\Windows\SysWOW64\Pdmpgfae.exe Ppacfg32.exe File opened for modification C:\Windows\SysWOW64\Bblocaik.exe Bciohe32.exe File opened for modification C:\Windows\SysWOW64\Epkhfkco.exe Emmljodk.exe File created C:\Windows\SysWOW64\Ipkmal32.exe Ilpaqmkg.exe File opened for modification C:\Windows\SysWOW64\Opaggdfa.exe Ohjofgfo.exe File created C:\Windows\SysWOW64\Oehcfq32.dll Dlblmh32.exe File created C:\Windows\SysWOW64\Ihlkogio.dll Ojpedn32.exe File created C:\Windows\SysWOW64\Dehdpnok.exe Dalhop32.exe File opened for modification C:\Windows\SysWOW64\Hbjmodph.exe Holqbipe.exe File created C:\Windows\SysWOW64\Nfpphp32.exe Nacgpi32.exe File opened for modification C:\Windows\SysWOW64\Oicfpkci.exe Ojpedn32.exe File opened for modification C:\Windows\SysWOW64\Cnnpdaeb.exe Cjbccb32.exe File created C:\Windows\SysWOW64\Fihojl32.dll Caohfl32.exe File created C:\Windows\SysWOW64\Nfepljba.dll Hadckp32.exe File created C:\Windows\SysWOW64\Okhbph32.dll Oeqmek32.exe File opened for modification C:\Windows\SysWOW64\Okmena32.exe Ohoiaf32.exe File created C:\Windows\SysWOW64\Kapemg32.dll Bfjhippb.exe File created C:\Windows\SysWOW64\Pdkmmh32.dll Ohoiaf32.exe File created C:\Windows\SysWOW64\Ppcplg32.exe Pnedpl32.exe File created C:\Windows\SysWOW64\Dfikeg32.dll Agikmeeg.exe File created C:\Windows\SysWOW64\Gfobndnj.exe Gcpfbhof.exe File opened for modification C:\Windows\SysWOW64\Nmglpjak.exe Nlfohb32.exe File created C:\Windows\SysWOW64\Qhabfibb.exe Qecejnco.exe File created C:\Windows\SysWOW64\Qmancc32.dll Hjeacf32.exe File created C:\Windows\SysWOW64\Bmcpfj32.exe Belhem32.exe File created C:\Windows\SysWOW64\Picqpfdf.dll Bpdihedp.exe File opened for modification C:\Windows\SysWOW64\Cjepib32.exe Cckhlhcj.exe File opened for modification C:\Windows\SysWOW64\Glaejokn.exe Fjchnclk.exe File created C:\Windows\SysWOW64\Cpolli32.exe Cnnpdaeb.exe File opened for modification C:\Windows\SysWOW64\Nlfohb32.exe Nhjcgccc.exe File created C:\Windows\SysWOW64\Klojje32.dll Epkhfkco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3196 3416 WerFault.exe 313 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpolli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhhmele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajidnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnboonmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhombc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphdaeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjqlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkenmidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeqkijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjcgccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biegpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejqenmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdkgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpbalaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpaqmkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhaqld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbmhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcfeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcjkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgklcaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admlfida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiobh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbieejff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdiqki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpnfjap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpcgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqjbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfoah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeejpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjknfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkjnmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloigc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoimmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacnpoqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imomkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgdonkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angmdoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjkdcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nannejni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnanceem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnpdaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkhhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolondiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdafkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhacfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphhbblp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcgdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjlm32.dll" Dlmcaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goidmibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obpccped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooianpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbeeolfd.dll" Boblbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfaccjd.dll" Cpbiaiin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcidqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkelhemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldpeojc.dll" Ecggmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkenmidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphdaeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmce32.dll" Pncgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpolli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcpbalaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbknjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjleem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmigdjnd.dll" Dfnncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajidnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbnlia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabljfoi.dll" Ipkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahoageo.dll" Mfkjnmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjggeal.dll" Nacgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbagmmf.dll" Oicfpkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkflp32.dll" Oejfelin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnpdaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpnfjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoppal32.dll" Hglobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlnmk32.dll" Okkhhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhimaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcpfbhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkboiamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aenkmf32.dll" Lnipilbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqojpqdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnipilbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boppmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdapdcdj.dll" Fnjkdcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlppgihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqnfiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mniiepja.dll" Pecikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkimgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeigiqba.dll" Hidekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mphhbblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhoeqide.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admlfida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggifmgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olcoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocaebmb.dll" Anbcio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdqipm.dll" Bjcgdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhplce32.dll" Godjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clhifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqjbhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfhfiqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akbkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bimnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehdpnok.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2256 1036 6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe 29 PID 1036 wrote to memory of 2256 1036 6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe 29 PID 1036 wrote to memory of 2256 1036 6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe 29 PID 1036 wrote to memory of 2256 1036 6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe 29 PID 2256 wrote to memory of 2320 2256 Lhlgaedj.exe 30 PID 2256 wrote to memory of 2320 2256 Lhlgaedj.exe 30 PID 2256 wrote to memory of 2320 2256 Lhlgaedj.exe 30 PID 2256 wrote to memory of 2320 2256 Lhlgaedj.exe 30 PID 2320 wrote to memory of 1780 2320 Lnipilbb.exe 31 PID 2320 wrote to memory of 1780 2320 Lnipilbb.exe 31 PID 2320 wrote to memory of 1780 2320 Lnipilbb.exe 31 PID 2320 wrote to memory of 1780 2320 Lnipilbb.exe 31 PID 1780 wrote to memory of 2816 1780 Lfpgkicd.exe 32 PID 1780 wrote to memory of 2816 1780 Lfpgkicd.exe 32 PID 1780 wrote to memory of 2816 1780 Lfpgkicd.exe 32 PID 1780 wrote to memory of 2816 1780 Lfpgkicd.exe 32 PID 2816 wrote to memory of 1768 2816 Lgadba32.exe 33 PID 2816 wrote to memory of 1768 2816 Lgadba32.exe 33 PID 2816 wrote to memory of 1768 2816 Lgadba32.exe 33 PID 2816 wrote to memory of 1768 2816 Lgadba32.exe 33 PID 1768 wrote to memory of 1672 1768 Lbghpjih.exe 34 PID 1768 wrote to memory of 1672 1768 Lbghpjih.exe 34 PID 1768 wrote to memory of 1672 1768 Lbghpjih.exe 34 PID 1768 wrote to memory of 1672 1768 Lbghpjih.exe 34 PID 1672 wrote to memory of 2596 1672 Lhaqld32.exe 35 PID 1672 wrote to memory of 2596 1672 Lhaqld32.exe 35 PID 1672 wrote to memory of 2596 1672 Lhaqld32.exe 35 PID 1672 wrote to memory of 2596 1672 Lhaqld32.exe 35 PID 2596 wrote to memory of 1776 2596 Lkomhp32.exe 36 PID 2596 wrote to memory of 1776 2596 Lkomhp32.exe 36 PID 2596 wrote to memory of 1776 2596 Lkomhp32.exe 36 PID 2596 wrote to memory of 1776 2596 Lkomhp32.exe 36 PID 1776 wrote to memory of 2876 1776 Lbieejff.exe 37 PID 1776 wrote to memory of 2876 1776 Lbieejff.exe 37 PID 1776 wrote to memory of 2876 1776 Lbieejff.exe 37 PID 1776 wrote to memory of 2876 1776 Lbieejff.exe 37 PID 2876 wrote to memory of 2392 2876 Ldhaaefi.exe 38 PID 2876 wrote to memory of 2392 2876 Ldhaaefi.exe 38 PID 2876 wrote to memory of 2392 2876 Ldhaaefi.exe 38 PID 2876 wrote to memory of 2392 2876 Ldhaaefi.exe 38 PID 2392 wrote to memory of 1052 2392 Lkainp32.exe 39 PID 2392 wrote to memory of 1052 2392 Lkainp32.exe 39 PID 2392 wrote to memory of 1052 2392 Lkainp32.exe 39 PID 2392 wrote to memory of 1052 2392 Lkainp32.exe 39 PID 1052 wrote to memory of 2444 1052 Lmcfeh32.exe 40 PID 1052 wrote to memory of 2444 1052 Lmcfeh32.exe 40 PID 1052 wrote to memory of 2444 1052 Lmcfeh32.exe 40 PID 1052 wrote to memory of 2444 1052 Lmcfeh32.exe 40 PID 2444 wrote to memory of 2728 2444 Mdjnge32.exe 41 PID 2444 wrote to memory of 2728 2444 Mdjnge32.exe 41 PID 2444 wrote to memory of 2728 2444 Mdjnge32.exe 41 PID 2444 wrote to memory of 2728 2444 Mdjnge32.exe 41 PID 2728 wrote to memory of 1984 2728 Mfkjnmje.exe 42 PID 2728 wrote to memory of 1984 2728 Mfkjnmje.exe 42 PID 2728 wrote to memory of 1984 2728 Mfkjnmje.exe 42 PID 2728 wrote to memory of 1984 2728 Mfkjnmje.exe 42 PID 1984 wrote to memory of 2524 1984 Mnbbpkjg.exe 43 PID 1984 wrote to memory of 2524 1984 Mnbbpkjg.exe 43 PID 1984 wrote to memory of 2524 1984 Mnbbpkjg.exe 43 PID 1984 wrote to memory of 2524 1984 Mnbbpkjg.exe 43 PID 2524 wrote to memory of 2180 2524 Mqqolfik.exe 44 PID 2524 wrote to memory of 2180 2524 Mqqolfik.exe 44 PID 2524 wrote to memory of 2180 2524 Mqqolfik.exe 44 PID 2524 wrote to memory of 2180 2524 Mqqolfik.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe"C:\Users\Admin\AppData\Local\Temp\6f88f45e1c7553d1d796393428346642509d5fd5e8906c95fedf158ca6a7386d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Lhlgaedj.exeC:\Windows\system32\Lhlgaedj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Lnipilbb.exeC:\Windows\system32\Lnipilbb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Lfpgkicd.exeC:\Windows\system32\Lfpgkicd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Lgadba32.exeC:\Windows\system32\Lgadba32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lbghpjih.exeC:\Windows\system32\Lbghpjih.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Lhaqld32.exeC:\Windows\system32\Lhaqld32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Lkomhp32.exeC:\Windows\system32\Lkomhp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lbieejff.exeC:\Windows\system32\Lbieejff.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Ldhaaefi.exeC:\Windows\system32\Ldhaaefi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Lkainp32.exeC:\Windows\system32\Lkainp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Lmcfeh32.exeC:\Windows\system32\Lmcfeh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Mdjnge32.exeC:\Windows\system32\Mdjnge32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mfkjnmje.exeC:\Windows\system32\Mfkjnmje.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mnbbpkjg.exeC:\Windows\system32\Mnbbpkjg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mqqolfik.exeC:\Windows\system32\Mqqolfik.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mgkghp32.exeC:\Windows\system32\Mgkghp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Milcphgf.exeC:\Windows\system32\Milcphgf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Mqckaf32.exeC:\Windows\system32\Mqckaf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Mcagma32.exeC:\Windows\system32\Mcagma32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Mjkpjkni.exeC:\Windows\system32\Mjkpjkni.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Mmjlfgml.exeC:\Windows\system32\Mmjlfgml.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Mphhbblp.exeC:\Windows\system32\Mphhbblp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Meeqkijg.exeC:\Windows\system32\Meeqkijg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Mmlilfkj.exeC:\Windows\system32\Mmlilfkj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Mloigc32.exeC:\Windows\system32\Mloigc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Miciqgqn.exeC:\Windows\system32\Miciqgqn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Npmana32.exeC:\Windows\system32\Npmana32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Nbknjm32.exeC:\Windows\system32\Nbknjm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Nannejni.exeC:\Windows\system32\Nannejni.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Njfbno32.exeC:\Windows\system32\Njfbno32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Nnboonmb.exeC:\Windows\system32\Nnboonmb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Nelgkhdp.exeC:\Windows\system32\Nelgkhdp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Nhjcgccc.exeC:\Windows\system32\Nhjcgccc.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Nlfohb32.exeC:\Windows\system32\Nlfohb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Nmglpjak.exeC:\Windows\system32\Nmglpjak.exe38⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Nacgpi32.exeC:\Windows\system32\Nacgpi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Nfpphp32.exeC:\Windows\system32\Nfpphp32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Nphdaeol.exeC:\Windows\system32\Nphdaeol.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Nhombc32.exeC:\Windows\system32\Nhombc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Njnion32.exeC:\Windows\system32\Njnion32.exe43⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Npjage32.exeC:\Windows\system32\Npjage32.exe44⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ndfmgdeb.exeC:\Windows\system32\Ndfmgdeb.exe45⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ojpedn32.exeC:\Windows\system32\Ojpedn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Oicfpkci.exeC:\Windows\system32\Oicfpkci.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Ofgfio32.exeC:\Windows\system32\Ofgfio32.exe48⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Oejfelin.exeC:\Windows\system32\Oejfelin.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Omqnfiip.exeC:\Windows\system32\Omqnfiip.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Olcoaf32.exeC:\Windows\system32\Olcoaf32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Obngnphg.exeC:\Windows\system32\Obngnphg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Oelcjkgk.exeC:\Windows\system32\Oelcjkgk.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Oigokj32.exeC:\Windows\system32\Oigokj32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ohjofgfo.exeC:\Windows\system32\Ohjofgfo.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Opaggdfa.exeC:\Windows\system32\Opaggdfa.exe56⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Obpccped.exeC:\Windows\system32\Obpccped.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Oabdol32.exeC:\Windows\system32\Oabdol32.exe59⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Oenppk32.exeC:\Windows\system32\Oenppk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Oijlpjma.exeC:\Windows\system32\Oijlpjma.exe61⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Olhhmele.exeC:\Windows\system32\Olhhmele.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Oogdiqki.exeC:\Windows\system32\Oogdiqki.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Oaeqeljm.exeC:\Windows\system32\Oaeqeljm.exe65⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Oeqmek32.exeC:\Windows\system32\Oeqmek32.exe66⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Odcmagip.exeC:\Windows\system32\Odcmagip.exe67⤵PID:2500
-
C:\Windows\SysWOW64\Ohoiaf32.exeC:\Windows\system32\Ohoiaf32.exe68⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe69⤵PID:2172
-
C:\Windows\SysWOW64\Ooianpif.exeC:\Windows\system32\Ooianpif.exe70⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Pecikj32.exeC:\Windows\system32\Pecikj32.exe71⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Phaegfpg.exeC:\Windows\system32\Phaegfpg.exe72⤵PID:2768
-
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Pmnnomnn.exeC:\Windows\system32\Pmnnomnn.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Pajjpk32.exeC:\Windows\system32\Pajjpk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Pdhflg32.exeC:\Windows\system32\Pdhflg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Phcbmend.exeC:\Windows\system32\Phcbmend.exe77⤵PID:1684
-
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe78⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pmqkellk.exeC:\Windows\system32\Pmqkellk.exe79⤵PID:1044
-
C:\Windows\SysWOW64\Palgek32.exeC:\Windows\system32\Palgek32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Ppogahko.exeC:\Windows\system32\Ppogahko.exe81⤵PID:1844
-
C:\Windows\SysWOW64\Pgionbbl.exeC:\Windows\system32\Pgionbbl.exe82⤵PID:1156
-
C:\Windows\SysWOW64\Pkdknq32.exeC:\Windows\system32\Pkdknq32.exe83⤵PID:1516
-
C:\Windows\SysWOW64\Pncgjl32.exeC:\Windows\system32\Pncgjl32.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Plfhfiqc.exeC:\Windows\system32\Plfhfiqc.exe85⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ppacfg32.exeC:\Windows\system32\Ppacfg32.exe86⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe87⤵PID:2792
-
C:\Windows\SysWOW64\Pgklcaqi.exeC:\Windows\system32\Pgklcaqi.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Pnedpl32.exeC:\Windows\system32\Pnedpl32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Ppcplg32.exeC:\Windows\system32\Ppcplg32.exe90⤵PID:2612
-
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Qjleem32.exeC:\Windows\system32\Qjleem32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe93⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Qljaah32.exeC:\Windows\system32\Qljaah32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Qoimmc32.exeC:\Windows\system32\Qoimmc32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Qagiio32.exeC:\Windows\system32\Qagiio32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Qecejnco.exeC:\Windows\system32\Qecejnco.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Qhabfibb.exeC:\Windows\system32\Qhabfibb.exe98⤵PID:2324
-
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe99⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Qkpnbdaf.exeC:\Windows\system32\Qkpnbdaf.exe100⤵PID:1976
-
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Qaifoo32.exeC:\Windows\system32\Qaifoo32.exe102⤵PID:1596
-
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe103⤵PID:2772
-
C:\Windows\SysWOW64\Ahcoli32.exeC:\Windows\system32\Ahcoli32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Akbkhd32.exeC:\Windows\system32\Akbkhd32.exe105⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Ahfkah32.exeC:\Windows\system32\Ahfkah32.exe106⤵PID:1360
-
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Anbcio32.exeC:\Windows\system32\Anbcio32.exe108⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Abnpjnem.exeC:\Windows\system32\Abnpjnem.exe109⤵PID:3068
-
C:\Windows\SysWOW64\Admlfida.exeC:\Windows\system32\Admlfida.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe111⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ajidnp32.exeC:\Windows\system32\Ajidnp32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Abqlpn32.exeC:\Windows\system32\Abqlpn32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Adoili32.exeC:\Windows\system32\Adoili32.exe114⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Acbigfii.exeC:\Windows\system32\Acbigfii.exe115⤵PID:1820
-
C:\Windows\SysWOW64\Ajladp32.exeC:\Windows\system32\Ajladp32.exe116⤵PID:1804
-
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe117⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe118⤵PID:1640
-
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe119⤵PID:2624
-
C:\Windows\SysWOW64\Agpamd32.exeC:\Windows\system32\Agpamd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe121⤵PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-