Analysis
-
max time kernel
136s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 03:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe
-
Size
144KB
-
MD5
b98b0cca9693df708fab950767216ed9
-
SHA1
4b90d4693433951dcd0f9ac19ec75cee343c4742
-
SHA256
e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f
-
SHA512
2bd43aa02e8234ff2197a041f3ae3c015df287b0a571811137a845bb1a91122fe93cc30b5e9cbe36eece7f246a88151edbed60bdb807a577d254fddd0c96e8c1
-
SSDEEP
3072:NPw762v0/GzuH3MQH2qC7ZQOlzSLUK6MwGsGnDc9nhVizLrId0:NPwm2miuH3MQWfdQOhwJ6MwGsmLrId0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfbogh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeilbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momqbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdanngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjgepqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfebcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piaiko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfknpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhpfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemfahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepjpajn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifoia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaejfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdchifik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgibkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhogjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjnpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admnob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momqbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abejlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkncfdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epinhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcihdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdend32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidhfgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfekbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmfpnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epinhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpfheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkkgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odaqikaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edafjiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnmae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdhea32.exe -
Executes dropped EXE 64 IoCs
pid Process 1120 Lbnbfb32.exe 2236 Lcmopepp.exe 2760 Llfcik32.exe 2888 Mbgela32.exe 948 Mcknjidn.exe 2864 Mnpbgbdd.exe 2736 Nijcgp32.exe 2348 Nbgakd32.exe 2716 Nbinad32.exe 2652 Odmgnl32.exe 940 Odaqikaa.exe 1284 Opkndldc.exe 1644 Pelpgb32.exe 2584 Peolmb32.exe 2152 Qkpnph32.exe 1736 Qpocno32.exe 2120 Ancdgcab.exe 1956 Aaeiqf32.exe 2304 Afcbgd32.exe 936 Bnqcaffa.exe 816 Bgkeol32.exe 2424 Bqciha32.exe 1680 Bfcnfh32.exe 2916 Bokcom32.exe 1032 Cncmei32.exe 2412 Ceoagcld.exe 2768 Dcihdo32.exe 3064 Dpbenpqh.exe 952 Eecgafkj.exe 2660 Ehdpcahk.exe 2300 Egimdmmc.exe 2960 Egljjmkp.exe 2980 Fgnfpm32.exe 2020 Feccqime.exe 2184 Fpihnbmk.exe 916 Fgcpkldh.exe 2324 Fondonbc.exe 2256 Ficilgai.exe 2216 Fejjah32.exe 1884 Fhifmcfa.exe 1516 Ggncop32.exe 2212 Gacgli32.exe 1604 Gqidme32.exe 1708 Gjahfkfg.exe 472 Gcimop32.exe 320 Gopnca32.exe 1748 Hcnfjpib.exe 1232 Hkiknb32.exe 2588 Hnjdpm32.exe 1196 Hgbhibio.exe 2828 Hgeenb32.exe 2912 Ieiegf32.exe 2844 Imdjlida.exe 864 Ifloeo32.exe 3032 Iabcbg32.exe 3012 Imidgh32.exe 2600 Ijmdql32.exe 960 Ibhieo32.exe 1368 Jnojjp32.exe 1848 Jnafop32.exe 2252 Jlegic32.exe 1484 Jdplmflg.exe 112 Jmhpfl32.exe 1208 Jhndcd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe 2540 e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe 1120 Lbnbfb32.exe 1120 Lbnbfb32.exe 2236 Lcmopepp.exe 2236 Lcmopepp.exe 2760 Llfcik32.exe 2760 Llfcik32.exe 2888 Mbgela32.exe 2888 Mbgela32.exe 948 Mcknjidn.exe 948 Mcknjidn.exe 2864 Mnpbgbdd.exe 2864 Mnpbgbdd.exe 2736 Nijcgp32.exe 2736 Nijcgp32.exe 2348 Nbgakd32.exe 2348 Nbgakd32.exe 2716 Nbinad32.exe 2716 Nbinad32.exe 2652 Odmgnl32.exe 2652 Odmgnl32.exe 940 Odaqikaa.exe 940 Odaqikaa.exe 1284 Opkndldc.exe 1284 Opkndldc.exe 1644 Pelpgb32.exe 1644 Pelpgb32.exe 2584 Peolmb32.exe 2584 Peolmb32.exe 2152 Qkpnph32.exe 2152 Qkpnph32.exe 1736 Qpocno32.exe 1736 Qpocno32.exe 2120 Ancdgcab.exe 2120 Ancdgcab.exe 1956 Aaeiqf32.exe 1956 Aaeiqf32.exe 2304 Afcbgd32.exe 2304 Afcbgd32.exe 936 Bnqcaffa.exe 936 Bnqcaffa.exe 816 Bgkeol32.exe 816 Bgkeol32.exe 2424 Bqciha32.exe 2424 Bqciha32.exe 1680 Bfcnfh32.exe 1680 Bfcnfh32.exe 2916 Bokcom32.exe 2916 Bokcom32.exe 1032 Cncmei32.exe 1032 Cncmei32.exe 2412 Ceoagcld.exe 2412 Ceoagcld.exe 2768 Dcihdo32.exe 2768 Dcihdo32.exe 3064 Dpbenpqh.exe 3064 Dpbenpqh.exe 952 Eecgafkj.exe 952 Eecgafkj.exe 2660 Ehdpcahk.exe 2660 Ehdpcahk.exe 2300 Egimdmmc.exe 2300 Egimdmmc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Knlpef32.dll Badlln32.exe File created C:\Windows\SysWOW64\Mnpbgbdd.exe Mcknjidn.exe File created C:\Windows\SysWOW64\Ehkjdmqc.dll Pjndca32.exe File opened for modification C:\Windows\SysWOW64\Ihhjjm32.exe Ickaaf32.exe File created C:\Windows\SysWOW64\Pglodgni.dll Ckjqog32.exe File created C:\Windows\SysWOW64\Fddcqm32.exe Fogkhf32.exe File created C:\Windows\SysWOW64\Dafempjk.dll Cddqod32.exe File created C:\Windows\SysWOW64\Febmfcjj.exe Fholmo32.exe File created C:\Windows\SysWOW64\Jqogiafk.dll Cffqhmqd.exe File created C:\Windows\SysWOW64\Mlfebcnd.exe Laqadknn.exe File opened for modification C:\Windows\SysWOW64\Coejfn32.exe Caajmilh.exe File created C:\Windows\SysWOW64\Dcofqphi.exe Dhiacg32.exe File opened for modification C:\Windows\SysWOW64\Doipoldo.exe Ceqlff32.exe File opened for modification C:\Windows\SysWOW64\Mgkncfdc.exe Mncijanc.exe File created C:\Windows\SysWOW64\Lnlohdhc.exe Leqjcb32.exe File opened for modification C:\Windows\SysWOW64\Pllmkcdp.exe Pcahga32.exe File created C:\Windows\SysWOW64\Cnifhcei.dll Dgbiggof.exe File created C:\Windows\SysWOW64\Aefipolf.dll Dihojnqo.exe File opened for modification C:\Windows\SysWOW64\Cffqhmqd.exe Colhlcig.exe File created C:\Windows\SysWOW64\Hekqpj32.dll Dpbenpqh.exe File created C:\Windows\SysWOW64\Mojmbg32.exe Mgbeqjpd.exe File opened for modification C:\Windows\SysWOW64\Oceaql32.exe Ocbekmpi.exe File created C:\Windows\SysWOW64\Eddeia32.exe Egpdom32.exe File opened for modification C:\Windows\SysWOW64\Eaaajo32.exe Dglmmf32.exe File created C:\Windows\SysWOW64\Bbekbnge.dll Bkjfhile.exe File created C:\Windows\SysWOW64\Imliaacf.dll Pkboiamh.exe File created C:\Windows\SysWOW64\Leqjcb32.exe Lofafhck.exe File created C:\Windows\SysWOW64\Hllgeipk.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Hnllcoed.exe Hgbdge32.exe File opened for modification C:\Windows\SysWOW64\Hfmfjh32.exe Hpcnmnnh.exe File opened for modification C:\Windows\SysWOW64\Nngjbfpa.exe Ndofjq32.exe File created C:\Windows\SysWOW64\Bgnpfnnd.dll Jecnpg32.exe File created C:\Windows\SysWOW64\Mogmgpjh.dll Kiccle32.exe File created C:\Windows\SysWOW64\Gjaamcbe.dll Oemfahcn.exe File created C:\Windows\SysWOW64\Llkamfnj.dll Ppbfmdfo.exe File created C:\Windows\SysWOW64\Ejbhno32.exe Emogdk32.exe File created C:\Windows\SysWOW64\Fpijol32.dll Abnmae32.exe File created C:\Windows\SysWOW64\Fnnnoaop.dll Jlegic32.exe File created C:\Windows\SysWOW64\Mepongob.dll Jehklc32.exe File opened for modification C:\Windows\SysWOW64\Lhmjha32.exe Koeeoljm.exe File created C:\Windows\SysWOW64\Akfalc32.dll Cccgni32.exe File created C:\Windows\SysWOW64\Difcpc32.exe Dmpckbci.exe File created C:\Windows\SysWOW64\Ahcoli32.exe Qlmnfh32.exe File opened for modification C:\Windows\SysWOW64\Ejgkfn32.exe Dekcng32.exe File opened for modification C:\Windows\SysWOW64\Mncijanc.exe Lifqbjpk.exe File created C:\Windows\SysWOW64\Amidmldj.exe Abcppcdc.exe File created C:\Windows\SysWOW64\Dhnafj32.dll Fgkbac32.exe File created C:\Windows\SysWOW64\Dcbpfp32.exe Dmhhie32.exe File opened for modification C:\Windows\SysWOW64\Knckbe32.exe Kehidp32.exe File created C:\Windows\SysWOW64\Phpkjoim.exe Oaecne32.exe File created C:\Windows\SysWOW64\Bgngkchf.dll Process not Found File created C:\Windows\SysWOW64\Caeaoj32.dll Emhbop32.exe File created C:\Windows\SysWOW64\Goadik32.exe Gdlplb32.exe File created C:\Windows\SysWOW64\Jngfei32.exe Japfphle.exe File created C:\Windows\SysWOW64\Hjadam32.dll Oficoo32.exe File created C:\Windows\SysWOW64\Jdlomqkj.dll Mgbeqjpd.exe File opened for modification C:\Windows\SysWOW64\Ojfjke32.exe Process not Found File created C:\Windows\SysWOW64\Jakhckdb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hojbbiae.exe Hccbnhla.exe File created C:\Windows\SysWOW64\Flcjjdpe.exe Fnoiqpqk.exe File created C:\Windows\SysWOW64\Momqbm32.exe Miphjf32.exe File opened for modification C:\Windows\SysWOW64\Oiepmajb.exe Ogfdpfjo.exe File created C:\Windows\SysWOW64\Flhkhnel.exe Eigbfb32.exe File created C:\Windows\SysWOW64\Hbdfoiki.exe Hhobbqkc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3768 4056 Process not Found 1163 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knckbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjjebed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnpih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclbhkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnpam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfekbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigkmmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anebhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcjqkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdfoiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedinobh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcanahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfabfldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdenoif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edafjiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjhkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjhippb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnomgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiefqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbfbfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcihicad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclkcdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momqbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcoqbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admlfida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmlffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjqdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgljfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcqhagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmebkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdchifik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbagjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcjfdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boblbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbaelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnnicpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpegdik.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oafjfokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihhehoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eenfnmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncilhik.dll" Bqilfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefboabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlpmp32.dll" Fbebcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfogkalg.dll" Clmdjmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndkoemji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifhnk32.dll" Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekfnk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbaboaj.dll" Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomceb32.dll" Oiepmajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppafopqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjomlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hblidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpohplpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeilbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbabhoq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndolpa32.dll" Onkoadhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidjfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdndmmmb.dll" Gglimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfdmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfkakbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qakkncmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmfpdcn.dll" Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmcapna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgleep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgmjh32.dll" Miphjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cflcglho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmbolk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajqoqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qechbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckadb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clmdjmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdkmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colhlcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekjjebed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjfhajh.dll" Lbmknipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekofijic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlnghj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjman32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcllam32.dll" Mddidnqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfifqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnbmk32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1120 2540 e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe 29 PID 2540 wrote to memory of 1120 2540 e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe 29 PID 2540 wrote to memory of 1120 2540 e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe 29 PID 2540 wrote to memory of 1120 2540 e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe 29 PID 1120 wrote to memory of 2236 1120 Lbnbfb32.exe 30 PID 1120 wrote to memory of 2236 1120 Lbnbfb32.exe 30 PID 1120 wrote to memory of 2236 1120 Lbnbfb32.exe 30 PID 1120 wrote to memory of 2236 1120 Lbnbfb32.exe 30 PID 2236 wrote to memory of 2760 2236 Lcmopepp.exe 31 PID 2236 wrote to memory of 2760 2236 Lcmopepp.exe 31 PID 2236 wrote to memory of 2760 2236 Lcmopepp.exe 31 PID 2236 wrote to memory of 2760 2236 Lcmopepp.exe 31 PID 2760 wrote to memory of 2888 2760 Llfcik32.exe 32 PID 2760 wrote to memory of 2888 2760 Llfcik32.exe 32 PID 2760 wrote to memory of 2888 2760 Llfcik32.exe 32 PID 2760 wrote to memory of 2888 2760 Llfcik32.exe 32 PID 2888 wrote to memory of 948 2888 Mbgela32.exe 33 PID 2888 wrote to memory of 948 2888 Mbgela32.exe 33 PID 2888 wrote to memory of 948 2888 Mbgela32.exe 33 PID 2888 wrote to memory of 948 2888 Mbgela32.exe 33 PID 948 wrote to memory of 2864 948 Mcknjidn.exe 34 PID 948 wrote to memory of 2864 948 Mcknjidn.exe 34 PID 948 wrote to memory of 2864 948 Mcknjidn.exe 34 PID 948 wrote to memory of 2864 948 Mcknjidn.exe 34 PID 2864 wrote to memory of 2736 2864 Mnpbgbdd.exe 35 PID 2864 wrote to memory of 2736 2864 Mnpbgbdd.exe 35 PID 2864 wrote to memory of 2736 2864 Mnpbgbdd.exe 35 PID 2864 wrote to memory of 2736 2864 Mnpbgbdd.exe 35 PID 2736 wrote to memory of 2348 2736 Nijcgp32.exe 36 PID 2736 wrote to memory of 2348 2736 Nijcgp32.exe 36 PID 2736 wrote to memory of 2348 2736 Nijcgp32.exe 36 PID 2736 wrote to memory of 2348 2736 Nijcgp32.exe 36 PID 2348 wrote to memory of 2716 2348 Nbgakd32.exe 37 PID 2348 wrote to memory of 2716 2348 Nbgakd32.exe 37 PID 2348 wrote to memory of 2716 2348 Nbgakd32.exe 37 PID 2348 wrote to memory of 2716 2348 Nbgakd32.exe 37 PID 2716 wrote to memory of 2652 2716 Nbinad32.exe 38 PID 2716 wrote to memory of 2652 2716 Nbinad32.exe 38 PID 2716 wrote to memory of 2652 2716 Nbinad32.exe 38 PID 2716 wrote to memory of 2652 2716 Nbinad32.exe 38 PID 2652 wrote to memory of 940 2652 Odmgnl32.exe 39 PID 2652 wrote to memory of 940 2652 Odmgnl32.exe 39 PID 2652 wrote to memory of 940 2652 Odmgnl32.exe 39 PID 2652 wrote to memory of 940 2652 Odmgnl32.exe 39 PID 940 wrote to memory of 1284 940 Odaqikaa.exe 40 PID 940 wrote to memory of 1284 940 Odaqikaa.exe 40 PID 940 wrote to memory of 1284 940 Odaqikaa.exe 40 PID 940 wrote to memory of 1284 940 Odaqikaa.exe 40 PID 1284 wrote to memory of 1644 1284 Opkndldc.exe 41 PID 1284 wrote to memory of 1644 1284 Opkndldc.exe 41 PID 1284 wrote to memory of 1644 1284 Opkndldc.exe 41 PID 1284 wrote to memory of 1644 1284 Opkndldc.exe 41 PID 1644 wrote to memory of 2584 1644 Pelpgb32.exe 42 PID 1644 wrote to memory of 2584 1644 Pelpgb32.exe 42 PID 1644 wrote to memory of 2584 1644 Pelpgb32.exe 42 PID 1644 wrote to memory of 2584 1644 Pelpgb32.exe 42 PID 2584 wrote to memory of 2152 2584 Peolmb32.exe 43 PID 2584 wrote to memory of 2152 2584 Peolmb32.exe 43 PID 2584 wrote to memory of 2152 2584 Peolmb32.exe 43 PID 2584 wrote to memory of 2152 2584 Peolmb32.exe 43 PID 2152 wrote to memory of 1736 2152 Qkpnph32.exe 44 PID 2152 wrote to memory of 1736 2152 Qkpnph32.exe 44 PID 2152 wrote to memory of 1736 2152 Qkpnph32.exe 44 PID 2152 wrote to memory of 1736 2152 Qkpnph32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe"C:\Users\Admin\AppData\Local\Temp\e78d03971c55b370fa2dfeb14f173260d2a6959aea678c8f108ded987b6b293f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Bnqcaffa.exeC:\Windows\system32\Bnqcaffa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Cncmei32.exeC:\Windows\system32\Cncmei32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe34⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe35⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe36⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe37⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe38⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe39⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe40⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe41⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ggncop32.exeC:\Windows\system32\Ggncop32.exe42⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe43⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe44⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe45⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe46⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe47⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe48⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe49⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe50⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe51⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe52⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe53⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe54⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe55⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe56⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe57⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe59⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Jnojjp32.exeC:\Windows\system32\Jnojjp32.exe60⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe61⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jlegic32.exeC:\Windows\system32\Jlegic32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe63⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe65⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe66⤵PID:2040
-
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe67⤵PID:2544
-
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe68⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe69⤵PID:2076
-
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe70⤵PID:2708
-
C:\Windows\SysWOW64\Kgjgepqm.exeC:\Windows\system32\Kgjgepqm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1044 -
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe72⤵PID:3068
-
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe73⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe76⤵PID:3048
-
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe77⤵PID:2796
-
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe78⤵PID:1372
-
C:\Windows\SysWOW64\Mfoqephq.exeC:\Windows\system32\Mfoqephq.exe79⤵PID:2140
-
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe80⤵PID:2264
-
C:\Windows\SysWOW64\Ncejcg32.exeC:\Windows\system32\Ncejcg32.exe81⤵PID:2200
-
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe82⤵PID:2248
-
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe83⤵PID:1688
-
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe84⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe85⤵PID:2568
-
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe86⤵PID:1072
-
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe87⤵PID:2532
-
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe88⤵PID:1636
-
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe89⤵PID:2732
-
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe90⤵PID:2668
-
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe91⤵PID:2664
-
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe92⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe93⤵PID:3016
-
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe94⤵PID:2484
-
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe95⤵PID:2244
-
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe97⤵PID:672
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe98⤵PID:788
-
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe99⤵PID:1812
-
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe100⤵PID:2088
-
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe101⤵PID:1592
-
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe102⤵PID:2164
-
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe103⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe104⤵PID:2948
-
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe106⤵PID:1740
-
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe107⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe108⤵PID:1800
-
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe109⤵PID:2224
-
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe110⤵PID:1996
-
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe111⤵PID:1628
-
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe112⤵PID:1496
-
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe113⤵PID:2700
-
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe114⤵PID:2756
-
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe115⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe118⤵PID:1632
-
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe119⤵PID:2024
-
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe120⤵PID:2428
-
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-