Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 03:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe
-
Size
368KB
-
MD5
df2594528792bd0f4c8f3eecaf422164
-
SHA1
35bdf47ab4aff204aaf6b1dc6e5dfd7634f3836d
-
SHA256
d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e
-
SHA512
50ec44f9763572e3939b4843936d88683ee2ef7f590ba9bb1e0881770b84d632b9f4ff3ab597be538aeae29bd8232bb0f9f437d21119a6e9a8a1894833affe40
-
SSDEEP
6144:GDcX34W0eFITNlTjZXvEQo9dfJBEdKFckUQ/4TIHD4xutM3VOEIuV5t6R+0I/VzS:ex/tfT9XvEhdfJkKSkU3kHyuaRB5t6kO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqlhkofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpdcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piliii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgnnhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekdikhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnjek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghgfekpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icafgmbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdchf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjbkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaejojjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclbpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjkkbjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apppkekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkjkflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inbnhihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekkjheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqhepeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbdehdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkglm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 Ijclol32.exe 2988 Imahkg32.exe 2644 Ippdgc32.exe 2740 Jdpjba32.exe 2784 Jbefcm32.exe 2304 Jpigma32.exe 2520 Jhdlad32.exe 1012 Khghgchk.exe 1868 Khielcfh.exe 2040 Kaajei32.exe 1900 Knhjjj32.exe 1628 Kjokokha.exe 2832 Kddomchg.exe 772 Lfhhjklc.exe 1428 Lclicpkm.exe 1640 Lhiakf32.exe 2228 Lcofio32.exe 1016 Lbcbjlmb.exe 2380 Lgqkbb32.exe 2312 Lnjcomcf.exe 600 Lbfook32.exe 1656 Lgchgb32.exe 1400 Mnmpdlac.exe 1936 Mdghaf32.exe 2980 Mmbmeifk.exe 1516 Mdiefffn.exe 2084 Mmdjkhdh.exe 2992 Mobfgdcl.exe 2776 Mikjpiim.exe 2724 Mcqombic.exe 2540 Mmicfh32.exe 2560 Mcckcbgp.exe 2568 Nfahomfd.exe 1944 Nmkplgnq.exe 1556 Nibqqh32.exe 1896 Nlqmmd32.exe 1920 Neiaeiii.exe 2836 Nhgnaehm.exe 2812 Njfjnpgp.exe 1316 Njhfcp32.exe 1540 Nenkqi32.exe 1532 Oadkej32.exe 784 Odchbe32.exe 1568 Ojmpooah.exe 1452 Oaghki32.exe 2052 Odedge32.exe 1436 Ofcqcp32.exe 2396 Oibmpl32.exe 1524 Oplelf32.exe 2596 Odgamdef.exe 2736 Oeindm32.exe 2528 Ompefj32.exe 2640 Obmnna32.exe 2944 Oekjjl32.exe 2004 Olebgfao.exe 1916 Opqoge32.exe 1672 Obokcqhk.exe 1008 Phlclgfc.exe 316 Pkjphcff.exe 1596 Pbagipfi.exe 2352 Pdbdqh32.exe 1864 Pljlbf32.exe 1420 Pmkhjncg.exe 2388 Pafdjmkq.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe 2068 d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe 2976 Ijclol32.exe 2976 Ijclol32.exe 2988 Imahkg32.exe 2988 Imahkg32.exe 2644 Ippdgc32.exe 2644 Ippdgc32.exe 2740 Jdpjba32.exe 2740 Jdpjba32.exe 2784 Jbefcm32.exe 2784 Jbefcm32.exe 2304 Jpigma32.exe 2304 Jpigma32.exe 2520 Jhdlad32.exe 2520 Jhdlad32.exe 1012 Khghgchk.exe 1012 Khghgchk.exe 1868 Khielcfh.exe 1868 Khielcfh.exe 2040 Kaajei32.exe 2040 Kaajei32.exe 1900 Knhjjj32.exe 1900 Knhjjj32.exe 1628 Kjokokha.exe 1628 Kjokokha.exe 2832 Kddomchg.exe 2832 Kddomchg.exe 772 Lfhhjklc.exe 772 Lfhhjklc.exe 1428 Lclicpkm.exe 1428 Lclicpkm.exe 1640 Lhiakf32.exe 1640 Lhiakf32.exe 2228 Lcofio32.exe 2228 Lcofio32.exe 1016 Lbcbjlmb.exe 1016 Lbcbjlmb.exe 2380 Lgqkbb32.exe 2380 Lgqkbb32.exe 2312 Lnjcomcf.exe 2312 Lnjcomcf.exe 600 Lbfook32.exe 600 Lbfook32.exe 1656 Lgchgb32.exe 1656 Lgchgb32.exe 1400 Mnmpdlac.exe 1400 Mnmpdlac.exe 1936 Mdghaf32.exe 1936 Mdghaf32.exe 2980 Mmbmeifk.exe 2980 Mmbmeifk.exe 1516 Mdiefffn.exe 1516 Mdiefffn.exe 2084 Mmdjkhdh.exe 2084 Mmdjkhdh.exe 2992 Mobfgdcl.exe 2992 Mobfgdcl.exe 2776 Mikjpiim.exe 2776 Mikjpiim.exe 2724 Mcqombic.exe 2724 Mcqombic.exe 2540 Mmicfh32.exe 2540 Mmicfh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Godaakic.exe Gjgiidkl.exe File created C:\Windows\SysWOW64\Opqoge32.exe Olebgfao.exe File created C:\Windows\SysWOW64\Mdgldnho.dll Ekdchf32.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qlfdac32.exe File created C:\Windows\SysWOW64\Gqcnln32.exe Gjifodii.exe File created C:\Windows\SysWOW64\Fglfgd32.exe Fcqjfeja.exe File opened for modification C:\Windows\SysWOW64\Fmdbnnlj.exe Fihfnp32.exe File created C:\Windows\SysWOW64\Ojcqog32.dll Lgqkbb32.exe File created C:\Windows\SysWOW64\Bkegah32.exe Bigkel32.exe File created C:\Windows\SysWOW64\Bpoggldm.dll Emdmjamj.exe File opened for modification C:\Windows\SysWOW64\Fofbhgde.exe Flhflleb.exe File created C:\Windows\SysWOW64\Qaapcj32.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qaapcj32.exe File created C:\Windows\SysWOW64\Bfcodkcb.exe Boifga32.exe File opened for modification C:\Windows\SysWOW64\Hgqlafap.exe Hdbpekam.exe File created C:\Windows\SysWOW64\Bghgmd32.dll Ebnabb32.exe File created C:\Windows\SysWOW64\Fdgdji32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Qaacem32.dll Ppfafcpb.exe File created C:\Windows\SysWOW64\Adfbpega.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Bgghac32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Fdgibphb.dll Ijclol32.exe File created C:\Windows\SysWOW64\Jkbaci32.exe Jhdegn32.exe File created C:\Windows\SysWOW64\Fmikim32.dll Kmcjedcg.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hnkdnqhm.exe File created C:\Windows\SysWOW64\Hbofmcij.exe Hqnjek32.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kofcbl32.exe File created C:\Windows\SysWOW64\Oioipf32.exe Ofqmcj32.exe File created C:\Windows\SysWOW64\Obmnna32.exe Ompefj32.exe File opened for modification C:\Windows\SysWOW64\Ekfpmf32.exe Edlhqlfi.exe File opened for modification C:\Windows\SysWOW64\Haqnea32.exe Hkdemk32.exe File created C:\Windows\SysWOW64\Eodicd32.exe Edoefl32.exe File created C:\Windows\SysWOW64\Opjqff32.dll Gaagcpdl.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Dkodahqi.dll Olebgfao.exe File created C:\Windows\SysWOW64\Liempneg.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Djihcnji.dll Cfoaho32.exe File created C:\Windows\SysWOW64\Pmehdh32.exe Ojglhm32.exe File created C:\Windows\SysWOW64\Pbemboof.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Obokcqhk.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Kmqmod32.exe Jkbaci32.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Kddomchg.exe File created C:\Windows\SysWOW64\Djlfma32.exe Dgnjqe32.exe File created C:\Windows\SysWOW64\Chpmbe32.dll Hbofmcij.exe File opened for modification C:\Windows\SysWOW64\Hnnhngjf.exe Hkolakkb.exe File opened for modification C:\Windows\SysWOW64\Anadojlo.exe Agglbp32.exe File created C:\Windows\SysWOW64\Khldkllj.exe Kdphjm32.exe File created C:\Windows\SysWOW64\Kfaalh32.exe Kpgionie.exe File created C:\Windows\SysWOW64\Lbahid32.dll Dbdehdfc.exe File opened for modification C:\Windows\SysWOW64\Goiongbc.exe Gdcjpncm.exe File created C:\Windows\SysWOW64\Nhgofhlp.dll Ikfbbjdj.exe File created C:\Windows\SysWOW64\Odmckcmq.exe Oaogognm.exe File created C:\Windows\SysWOW64\Kqdodila.dll Ebqngb32.exe File created C:\Windows\SysWOW64\Efeckm32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Canipj32.dll Bnochnpm.exe File created C:\Windows\SysWOW64\Ehfenf32.dll Cgidfcdk.exe File created C:\Windows\SysWOW64\Ghdiokbq.exe Gefmcp32.exe File opened for modification C:\Windows\SysWOW64\Ikldqile.exe Iebldo32.exe File opened for modification C:\Windows\SysWOW64\Edoefl32.exe Emdmjamj.exe File created C:\Windows\SysWOW64\Fejcohho.dll Hnnhngjf.exe File created C:\Windows\SysWOW64\Pblcbn32.exe Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Bjjaikoa.exe Bcpimq32.exe File created C:\Windows\SysWOW64\Hjfnnajl.exe Hbofmcij.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6072 5796 WerFault.exe 555 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbklabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfbnddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhckfkbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbpega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdjkhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhflleb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgiidkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldahkaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkmchbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooihhdc.dll" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkman32.dll" Ifbphh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dljmlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcdhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfklg32.dll" Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjmnoki.dll" Imjkpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnmpn32.dll" Emoldlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpenm32.dll" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpgmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgjnobg.dll" Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmidgbj.dll" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldhjg32.dll" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pljlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfchh32.dll" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odecjfnl.dll" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iampng32.dll" Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll" Oplelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafdibdo.dll" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalcc32.dll" Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojhbfni.dll" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhljb32.dll" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Fhgifgnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2976 2068 d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe 30 PID 2068 wrote to memory of 2976 2068 d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe 30 PID 2068 wrote to memory of 2976 2068 d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe 30 PID 2068 wrote to memory of 2976 2068 d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe 30 PID 2976 wrote to memory of 2988 2976 Ijclol32.exe 31 PID 2976 wrote to memory of 2988 2976 Ijclol32.exe 31 PID 2976 wrote to memory of 2988 2976 Ijclol32.exe 31 PID 2976 wrote to memory of 2988 2976 Ijclol32.exe 31 PID 2988 wrote to memory of 2644 2988 Imahkg32.exe 32 PID 2988 wrote to memory of 2644 2988 Imahkg32.exe 32 PID 2988 wrote to memory of 2644 2988 Imahkg32.exe 32 PID 2988 wrote to memory of 2644 2988 Imahkg32.exe 32 PID 2644 wrote to memory of 2740 2644 Ippdgc32.exe 33 PID 2644 wrote to memory of 2740 2644 Ippdgc32.exe 33 PID 2644 wrote to memory of 2740 2644 Ippdgc32.exe 33 PID 2644 wrote to memory of 2740 2644 Ippdgc32.exe 33 PID 2740 wrote to memory of 2784 2740 Jdpjba32.exe 34 PID 2740 wrote to memory of 2784 2740 Jdpjba32.exe 34 PID 2740 wrote to memory of 2784 2740 Jdpjba32.exe 34 PID 2740 wrote to memory of 2784 2740 Jdpjba32.exe 34 PID 2784 wrote to memory of 2304 2784 Jbefcm32.exe 35 PID 2784 wrote to memory of 2304 2784 Jbefcm32.exe 35 PID 2784 wrote to memory of 2304 2784 Jbefcm32.exe 35 PID 2784 wrote to memory of 2304 2784 Jbefcm32.exe 35 PID 2304 wrote to memory of 2520 2304 Jpigma32.exe 36 PID 2304 wrote to memory of 2520 2304 Jpigma32.exe 36 PID 2304 wrote to memory of 2520 2304 Jpigma32.exe 36 PID 2304 wrote to memory of 2520 2304 Jpigma32.exe 36 PID 2520 wrote to memory of 1012 2520 Jhdlad32.exe 37 PID 2520 wrote to memory of 1012 2520 Jhdlad32.exe 37 PID 2520 wrote to memory of 1012 2520 Jhdlad32.exe 37 PID 2520 wrote to memory of 1012 2520 Jhdlad32.exe 37 PID 1012 wrote to memory of 1868 1012 Khghgchk.exe 38 PID 1012 wrote to memory of 1868 1012 Khghgchk.exe 38 PID 1012 wrote to memory of 1868 1012 Khghgchk.exe 38 PID 1012 wrote to memory of 1868 1012 Khghgchk.exe 38 PID 1868 wrote to memory of 2040 1868 Khielcfh.exe 39 PID 1868 wrote to memory of 2040 1868 Khielcfh.exe 39 PID 1868 wrote to memory of 2040 1868 Khielcfh.exe 39 PID 1868 wrote to memory of 2040 1868 Khielcfh.exe 39 PID 2040 wrote to memory of 1900 2040 Kaajei32.exe 40 PID 2040 wrote to memory of 1900 2040 Kaajei32.exe 40 PID 2040 wrote to memory of 1900 2040 Kaajei32.exe 40 PID 2040 wrote to memory of 1900 2040 Kaajei32.exe 40 PID 1900 wrote to memory of 1628 1900 Knhjjj32.exe 41 PID 1900 wrote to memory of 1628 1900 Knhjjj32.exe 41 PID 1900 wrote to memory of 1628 1900 Knhjjj32.exe 41 PID 1900 wrote to memory of 1628 1900 Knhjjj32.exe 41 PID 1628 wrote to memory of 2832 1628 Kjokokha.exe 42 PID 1628 wrote to memory of 2832 1628 Kjokokha.exe 42 PID 1628 wrote to memory of 2832 1628 Kjokokha.exe 42 PID 1628 wrote to memory of 2832 1628 Kjokokha.exe 42 PID 2832 wrote to memory of 772 2832 Kddomchg.exe 43 PID 2832 wrote to memory of 772 2832 Kddomchg.exe 43 PID 2832 wrote to memory of 772 2832 Kddomchg.exe 43 PID 2832 wrote to memory of 772 2832 Kddomchg.exe 43 PID 772 wrote to memory of 1428 772 Lfhhjklc.exe 44 PID 772 wrote to memory of 1428 772 Lfhhjklc.exe 44 PID 772 wrote to memory of 1428 772 Lfhhjklc.exe 44 PID 772 wrote to memory of 1428 772 Lfhhjklc.exe 44 PID 1428 wrote to memory of 1640 1428 Lclicpkm.exe 45 PID 1428 wrote to memory of 1640 1428 Lclicpkm.exe 45 PID 1428 wrote to memory of 1640 1428 Lclicpkm.exe 45 PID 1428 wrote to memory of 1640 1428 Lclicpkm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe"C:\Users\Admin\AppData\Local\Temp\d877a69a7032f85f9f27161459e08218e62d051ca8c5f44e7cc4f6f6a13f6d1e.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe33⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe34⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe35⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe36⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe37⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe38⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe39⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe40⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe41⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe42⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe44⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe46⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe49⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe52⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe54⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe55⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe57⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe59⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe60⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe61⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe64⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe65⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe66⤵PID:1060
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe67⤵PID:532
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe68⤵PID:2852
-
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe69⤵PID:2420
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe70⤵PID:2732
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe71⤵PID:2760
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe72⤵PID:2556
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe73⤵PID:2276
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe74⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe77⤵PID:112
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe79⤵PID:464
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe80⤵PID:2920
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe81⤵PID:1052
-
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe82⤵PID:2404
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe83⤵PID:2316
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe86⤵PID:2508
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe87⤵PID:2960
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe88⤵PID:1044
-
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe89⤵PID:1712
-
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe91⤵PID:1632
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe92⤵PID:2376
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe93⤵PID:900
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe94⤵PID:680
-
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe95⤵PID:2860
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe97⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe98⤵PID:2416
-
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe99⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe100⤵PID:2632
-
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe102⤵PID:3000
-
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe103⤵PID:2044
-
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe104⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe105⤵PID:2848
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe106⤵PID:1904
-
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe107⤵PID:840
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe108⤵PID:904
-
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe110⤵PID:1032
-
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe111⤵PID:2088
-
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe112⤵PID:2712
-
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe113⤵PID:2720
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe114⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe115⤵PID:2684
-
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe116⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe117⤵PID:1644
-
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe120⤵PID:2292
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-