Analysis
-
max time kernel
36s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-08-2024 00:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe
-
Size
63KB
-
MD5
7aa6b094e2a8add422b8745eff003a0e
-
SHA1
3c8245c0d864954fb8fc38b5034d5b32c47362dd
-
SHA256
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9
-
SHA512
c484805de6f265d4f5183fb9ba58efbee04f7cb22d92e8314a85cd586adca3464bc4fca52dff0b4864a971d48ea413083c5b7d0701dfdd8d695e5eea7cd0b5cd
-
SSDEEP
1536:oBtU39aSkwk/HEVu1Qh3jdS5ywK32++++++++++++++++++++++++++++++++++/:gUgSRkX2hTdSXLUo5k9DHE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahpahel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbcbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkihli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoqfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmppm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjnioae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiahpkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofehiocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglghdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfhfjgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccinnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbgak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phknlfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbdgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhficcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goemhfco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppihdha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaeneno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblpnepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaffja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfhbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfjme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdmahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqknqleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgoaiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmjpoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdohdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pligbekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhhcdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpmljan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpedmhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eheblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdefgimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faopib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaamobdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklnmgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaffja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onejjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpdpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihojnqo.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 Nnndin32.exe 2944 Ndhlfh32.exe 2656 Nidhfgpl.exe 2676 Ngfhbd32.exe 2652 Oifelfni.exe 2964 Obniel32.exe 1444 Ocpfmd32.exe 2016 Ojjnioae.exe 2076 Onejjm32.exe 3000 Oeobfgak.exe 1796 Ofqonp32.exe 2884 Oafclh32.exe 2748 Ocdohdfc.exe 956 Oiahpkdj.exe 2456 Oahpahel.exe 1096 Ofehiocd.exe 2104 Pmoqfi32.exe 652 Ppnmbd32.exe 2332 Pblinp32.exe 1212 Pejejkhl.exe 1652 Pmamliin.exe 1804 Pppihdha.exe 612 Pbnfdpge.exe 2424 Pihnqj32.exe 1788 Phknlfem.exe 1668 Plfjme32.exe 2936 Phmkaf32.exe 2940 Pligbekc.exe 2784 Pafpjljk.exe 2816 Pjndca32.exe 2532 Pmmppm32.exe 2348 Qhbdmeoe.exe 780 Qjqqianh.exe 1688 Qdieaf32.exe 2564 Qhdabemb.exe 2100 Qfganb32.exe 1152 Aamekk32.exe 3064 Appfggjm.exe 2264 Aihjpman.exe 2284 Adnomfqc.exe 2324 Abpohb32.exe 2096 Aflkiapg.exe 2240 Aogpmcmb.exe 2144 Aeahjn32.exe 952 Ahpdficc.exe 2024 Aoilcc32.exe 940 Abehcbci.exe 2244 Aecdpmbm.exe 1964 Aioppl32.exe 2316 Almmlg32.exe 2928 Abgeiaaf.exe 2960 Aajedn32.exe 2896 Bdiaqj32.exe 676 Bhdmahpn.exe 992 Blpibghg.exe 2296 Bonenbgj.exe 2136 Bnafjo32.exe 1896 Bambjnfn.exe 2632 Bdknfiea.exe 264 Bhfjgh32.exe 2852 Bkefcc32.exe 2112 Boqbcbeh.exe 2208 Bpbokj32.exe 2220 Bdmklico.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 1724 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 2976 Nnndin32.exe 2976 Nnndin32.exe 2944 Ndhlfh32.exe 2944 Ndhlfh32.exe 2656 Nidhfgpl.exe 2656 Nidhfgpl.exe 2676 Ngfhbd32.exe 2676 Ngfhbd32.exe 2652 Oifelfni.exe 2652 Oifelfni.exe 2964 Obniel32.exe 2964 Obniel32.exe 1444 Ocpfmd32.exe 1444 Ocpfmd32.exe 2016 Ojjnioae.exe 2016 Ojjnioae.exe 2076 Onejjm32.exe 2076 Onejjm32.exe 3000 Oeobfgak.exe 3000 Oeobfgak.exe 1796 Ofqonp32.exe 1796 Ofqonp32.exe 2884 Oafclh32.exe 2884 Oafclh32.exe 2748 Ocdohdfc.exe 2748 Ocdohdfc.exe 956 Oiahpkdj.exe 956 Oiahpkdj.exe 2456 Oahpahel.exe 2456 Oahpahel.exe 1096 Ofehiocd.exe 1096 Ofehiocd.exe 2104 Pmoqfi32.exe 2104 Pmoqfi32.exe 652 Ppnmbd32.exe 652 Ppnmbd32.exe 2332 Pblinp32.exe 2332 Pblinp32.exe 1212 Pejejkhl.exe 1212 Pejejkhl.exe 1652 Pmamliin.exe 1652 Pmamliin.exe 1804 Pppihdha.exe 1804 Pppihdha.exe 612 Pbnfdpge.exe 612 Pbnfdpge.exe 2424 Pihnqj32.exe 2424 Pihnqj32.exe 1788 Phknlfem.exe 1788 Phknlfem.exe 1668 Plfjme32.exe 1668 Plfjme32.exe 2936 Phmkaf32.exe 2936 Phmkaf32.exe 2940 Pligbekc.exe 2940 Pligbekc.exe 2784 Pafpjljk.exe 2784 Pafpjljk.exe 2816 Pjndca32.exe 2816 Pjndca32.exe 2532 Pmmppm32.exe 2532 Pmmppm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ngfhbd32.exe Nidhfgpl.exe File created C:\Windows\SysWOW64\Bglghdbc.exe Bdmklico.exe File created C:\Windows\SysWOW64\Glclampi.dll Dknehe32.exe File created C:\Windows\SysWOW64\Pafklb32.dll Fhlhmi32.exe File opened for modification C:\Windows\SysWOW64\Fehodaqd.exe Fbjchfaq.exe File created C:\Windows\SysWOW64\Njhhid32.dll Gaamobdf.exe File created C:\Windows\SysWOW64\Iananl32.dll Nnndin32.exe File created C:\Windows\SysWOW64\Memchb32.dll Nidhfgpl.exe File created C:\Windows\SysWOW64\Afggdp32.dll Qjqqianh.exe File created C:\Windows\SysWOW64\Icbjjdmb.dll Ggqamh32.exe File created C:\Windows\SysWOW64\Gkiiie32.dll Gklnmgic.exe File opened for modification C:\Windows\SysWOW64\Gddbfm32.exe Gaffja32.exe File opened for modification C:\Windows\SysWOW64\Gepeep32.exe Gmhmdc32.exe File opened for modification C:\Windows\SysWOW64\Oifelfni.exe Ngfhbd32.exe File created C:\Windows\SysWOW64\Aeahjn32.exe Aogpmcmb.exe File created C:\Windows\SysWOW64\Oeiakl32.dll Bkgchckl.exe File created C:\Windows\SysWOW64\Pfehhmgp.dll Ckebbgoj.exe File opened for modification C:\Windows\SysWOW64\Enokidgl.exe Eheblj32.exe File created C:\Windows\SysWOW64\Iiogbn32.dll Faopib32.exe File opened for modification C:\Windows\SysWOW64\Glgqlkdl.exe Ghlell32.exe File created C:\Windows\SysWOW64\Mfbgmg32.dll Ocpfmd32.exe File created C:\Windows\SysWOW64\Phknlfem.exe Pihnqj32.exe File created C:\Windows\SysWOW64\Aomekckd.dll Aflkiapg.exe File created C:\Windows\SysWOW64\Hokold32.dll Bdpgai32.exe File created C:\Windows\SysWOW64\Cdbqflae.exe Cdbqflae.exe File created C:\Windows\SysWOW64\Epgabhdg.exe Elleai32.exe File opened for modification C:\Windows\SysWOW64\Gmmgobfd.exe Giakoc32.exe File created C:\Windows\SysWOW64\Lkfibnjf.dll Ppnmbd32.exe File opened for modification C:\Windows\SysWOW64\Fidkep32.exe Fehodaqd.exe File created C:\Windows\SysWOW64\Jommmbhn.dll Ojjnioae.exe File opened for modification C:\Windows\SysWOW64\Aeahjn32.exe Aogpmcmb.exe File created C:\Windows\SysWOW64\Bklifdmh.dll Almmlg32.exe File created C:\Windows\SysWOW64\Efolib32.exe Ebcqicem.exe File created C:\Windows\SysWOW64\Gemhpq32.exe Gaamobdf.exe File opened for modification C:\Windows\SysWOW64\Fdbibjok.exe Fpgmak32.exe File created C:\Windows\SysWOW64\Ggqamh32.exe Gdbeqmag.exe File created C:\Windows\SysWOW64\Oahpahel.exe Oiahpkdj.exe File opened for modification C:\Windows\SysWOW64\Dnjeoa32.exe Djoinbpm.exe File created C:\Windows\SysWOW64\Dmobpn32.exe Djaedbnj.exe File created C:\Windows\SysWOW64\Ehgoaiml.exe Eckcak32.exe File created C:\Windows\SysWOW64\Fdefgimi.exe Fioajqmb.exe File created C:\Windows\SysWOW64\Aamekk32.exe Qfganb32.exe File opened for modification C:\Windows\SysWOW64\Ckebbgoj.exe Cjcfjoil.exe File created C:\Windows\SysWOW64\Gifhkpgk.exe Faopib32.exe File opened for modification C:\Windows\SysWOW64\Nidhfgpl.exe Ndhlfh32.exe File created C:\Windows\SysWOW64\Aajedn32.exe Abgeiaaf.exe File created C:\Windows\SysWOW64\Cpfcphnf.dll Fdbibjok.exe File opened for modification C:\Windows\SysWOW64\Cdbqflae.exe Cnhhia32.exe File opened for modification C:\Windows\SysWOW64\Dqmkflcd.exe Dnonjqdq.exe File opened for modification C:\Windows\SysWOW64\Eheblj32.exe Eeffpn32.exe File created C:\Windows\SysWOW64\Hlpcgm32.dll Ffcbce32.exe File opened for modification C:\Windows\SysWOW64\Gifhkpgk.exe Faopib32.exe File opened for modification C:\Windows\SysWOW64\Gaamobdf.exe Gocpcfeb.exe File opened for modification C:\Windows\SysWOW64\Oafclh32.exe Ofqonp32.exe File opened for modification C:\Windows\SysWOW64\Bambjnfn.exe Bnafjo32.exe File created C:\Windows\SysWOW64\Dmocok32.dll Eipekmjg.exe File opened for modification C:\Windows\SysWOW64\Ghlell32.exe Gemhpq32.exe File created C:\Windows\SysWOW64\Eapcjo32.exe Ejeknelp.exe File opened for modification C:\Windows\SysWOW64\Pmamliin.exe Pejejkhl.exe File created C:\Windows\SysWOW64\Phmkaf32.exe Plfjme32.exe File created C:\Windows\SysWOW64\Pligbekc.exe Phmkaf32.exe File created C:\Windows\SysWOW64\Ahpdficc.exe Aeahjn32.exe File created C:\Windows\SysWOW64\Gmkaphmi.dll Clpeajjb.exe File created C:\Windows\SysWOW64\Cdpdpl32.exe Cfmceomm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3572 3548 WerFault.exe 215 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpibghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmgobfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoilcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgefmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafpjljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbhmehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahpkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnomfqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipekmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimedaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phknlfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appfggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgeiaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebbgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqiakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pligbekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglghdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjfiboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfganb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giakoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifelfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgmak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onejjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmkaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdknfiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidhfgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoqfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblinp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeffpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehodaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcnbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogpmcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhjjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoinbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeknelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooghg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojgie32.dll" Dfjcncak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipekmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjikefbe.dll" Eeffpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgbmipo.dll" Gmkjjbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkmlgnl.dll" Obniel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlleon32.dll" Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeicenni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhmdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiahpkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmceomm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljbpfd.dll" Ndhlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbjjdmb.dll" Ggqamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnndin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgqlkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eapcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmlkl32.dll" Fmhaep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcqoqeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfdjdpm.dll" Epgabhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmkjjbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjoflc32.dll" Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlbpigi.dll" Cfjgopop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamobdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkldo32.dll" Cnhhia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqknqleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpnlnon.dll" Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemmad32.dll" Oahpahel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjlbh32.dll" Fblpnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boqbcbeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijicnf.dll" Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebcqicem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffaaoip.dll" Bkefcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bglghdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcqicem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfdppia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pblinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgeipk.dll" Pppihdha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeahjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckebbgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnndin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiahpkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlilmc32.dll" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpmbgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeffpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgejpfh.dll" Fdpmljan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onejjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmlank32.dll" Qfganb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfhfjgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migbkglj.dll" Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fehodaqd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2976 1724 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 29 PID 1724 wrote to memory of 2976 1724 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 29 PID 1724 wrote to memory of 2976 1724 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 29 PID 1724 wrote to memory of 2976 1724 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 29 PID 2976 wrote to memory of 2944 2976 Nnndin32.exe 30 PID 2976 wrote to memory of 2944 2976 Nnndin32.exe 30 PID 2976 wrote to memory of 2944 2976 Nnndin32.exe 30 PID 2976 wrote to memory of 2944 2976 Nnndin32.exe 30 PID 2944 wrote to memory of 2656 2944 Ndhlfh32.exe 31 PID 2944 wrote to memory of 2656 2944 Ndhlfh32.exe 31 PID 2944 wrote to memory of 2656 2944 Ndhlfh32.exe 31 PID 2944 wrote to memory of 2656 2944 Ndhlfh32.exe 31 PID 2656 wrote to memory of 2676 2656 Nidhfgpl.exe 32 PID 2656 wrote to memory of 2676 2656 Nidhfgpl.exe 32 PID 2656 wrote to memory of 2676 2656 Nidhfgpl.exe 32 PID 2656 wrote to memory of 2676 2656 Nidhfgpl.exe 32 PID 2676 wrote to memory of 2652 2676 Ngfhbd32.exe 33 PID 2676 wrote to memory of 2652 2676 Ngfhbd32.exe 33 PID 2676 wrote to memory of 2652 2676 Ngfhbd32.exe 33 PID 2676 wrote to memory of 2652 2676 Ngfhbd32.exe 33 PID 2652 wrote to memory of 2964 2652 Oifelfni.exe 34 PID 2652 wrote to memory of 2964 2652 Oifelfni.exe 34 PID 2652 wrote to memory of 2964 2652 Oifelfni.exe 34 PID 2652 wrote to memory of 2964 2652 Oifelfni.exe 34 PID 2964 wrote to memory of 1444 2964 Obniel32.exe 35 PID 2964 wrote to memory of 1444 2964 Obniel32.exe 35 PID 2964 wrote to memory of 1444 2964 Obniel32.exe 35 PID 2964 wrote to memory of 1444 2964 Obniel32.exe 35 PID 1444 wrote to memory of 2016 1444 Ocpfmd32.exe 36 PID 1444 wrote to memory of 2016 1444 Ocpfmd32.exe 36 PID 1444 wrote to memory of 2016 1444 Ocpfmd32.exe 36 PID 1444 wrote to memory of 2016 1444 Ocpfmd32.exe 36 PID 2016 wrote to memory of 2076 2016 Ojjnioae.exe 37 PID 2016 wrote to memory of 2076 2016 Ojjnioae.exe 37 PID 2016 wrote to memory of 2076 2016 Ojjnioae.exe 37 PID 2016 wrote to memory of 2076 2016 Ojjnioae.exe 37 PID 2076 wrote to memory of 3000 2076 Onejjm32.exe 38 PID 2076 wrote to memory of 3000 2076 Onejjm32.exe 38 PID 2076 wrote to memory of 3000 2076 Onejjm32.exe 38 PID 2076 wrote to memory of 3000 2076 Onejjm32.exe 38 PID 3000 wrote to memory of 1796 3000 Oeobfgak.exe 39 PID 3000 wrote to memory of 1796 3000 Oeobfgak.exe 39 PID 3000 wrote to memory of 1796 3000 Oeobfgak.exe 39 PID 3000 wrote to memory of 1796 3000 Oeobfgak.exe 39 PID 1796 wrote to memory of 2884 1796 Ofqonp32.exe 40 PID 1796 wrote to memory of 2884 1796 Ofqonp32.exe 40 PID 1796 wrote to memory of 2884 1796 Ofqonp32.exe 40 PID 1796 wrote to memory of 2884 1796 Ofqonp32.exe 40 PID 2884 wrote to memory of 2748 2884 Oafclh32.exe 41 PID 2884 wrote to memory of 2748 2884 Oafclh32.exe 41 PID 2884 wrote to memory of 2748 2884 Oafclh32.exe 41 PID 2884 wrote to memory of 2748 2884 Oafclh32.exe 41 PID 2748 wrote to memory of 956 2748 Ocdohdfc.exe 42 PID 2748 wrote to memory of 956 2748 Ocdohdfc.exe 42 PID 2748 wrote to memory of 956 2748 Ocdohdfc.exe 42 PID 2748 wrote to memory of 956 2748 Ocdohdfc.exe 42 PID 956 wrote to memory of 2456 956 Oiahpkdj.exe 43 PID 956 wrote to memory of 2456 956 Oiahpkdj.exe 43 PID 956 wrote to memory of 2456 956 Oiahpkdj.exe 43 PID 956 wrote to memory of 2456 956 Oiahpkdj.exe 43 PID 2456 wrote to memory of 1096 2456 Oahpahel.exe 44 PID 2456 wrote to memory of 1096 2456 Oahpahel.exe 44 PID 2456 wrote to memory of 1096 2456 Oahpahel.exe 44 PID 2456 wrote to memory of 1096 2456 Oahpahel.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe"C:\Users\Admin\AppData\Local\Temp\91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Nnndin32.exeC:\Windows\system32\Nnndin32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ocpfmd32.exeC:\Windows\system32\Ocpfmd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Oahpahel.exeC:\Windows\system32\Oahpahel.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Phknlfem.exeC:\Windows\system32\Phknlfem.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Pligbekc.exeC:\Windows\system32\Pligbekc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Pjndca32.exeC:\Windows\system32\Pjndca32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe35⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe36⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe40⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe42⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Aeahjn32.exeC:\Windows\system32\Aeahjn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe46⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Aoilcc32.exeC:\Windows\system32\Aoilcc32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe48⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe49⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Aioppl32.exeC:\Windows\system32\Aioppl32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe54⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe59⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Bhfjgh32.exeC:\Windows\system32\Bhfjgh32.exe61⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe64⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe68⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe69⤵PID:2608
-
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe71⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe72⤵PID:2920
-
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe74⤵PID:2980
-
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Bdbdgh32.exeC:\Windows\system32\Bdbdgh32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:740 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe77⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Bjomoo32.exeC:\Windows\system32\Bjomoo32.exe78⤵PID:2368
-
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe79⤵PID:1268
-
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe80⤵PID:2476
-
C:\Windows\SysWOW64\Ccgahe32.exeC:\Windows\system32\Ccgahe32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe82⤵PID:2164
-
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe83⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Cpkaai32.exeC:\Windows\system32\Cpkaai32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Ccinnd32.exeC:\Windows\system32\Ccinnd32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe87⤵
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe89⤵PID:528
-
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe91⤵PID:1960
-
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe92⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Cdpdpl32.exeC:\Windows\system32\Cdpdpl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe98⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe99⤵PID:2780
-
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe100⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Dnjeoa32.exeC:\Windows\system32\Dnjeoa32.exe102⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe104⤵PID:2444
-
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe105⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe106⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe107⤵PID:2436
-
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe109⤵PID:2360
-
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe113⤵PID:2808
-
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe115⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe118⤵PID:2192
-
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe119⤵PID:2556
-
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Dkihli32.exeC:\Windows\system32\Dkihli32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-