Analysis
-
max time kernel
116s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 02:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed5bbd0fa522f9783b14292c377cd310N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ed5bbd0fa522f9783b14292c377cd310N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ed5bbd0fa522f9783b14292c377cd310N.exe
-
Size
96KB
-
MD5
ed5bbd0fa522f9783b14292c377cd310
-
SHA1
c7a956937b7bcac1b99d892fb60bef1dd81bbb62
-
SHA256
404ee078a42e4e699aa28f5e45525dca4c4313b33f96a2cfd284da182357b021
-
SHA512
101a2588dc86dcd151cfddcfa4ac8431e2fe0ae389622dcb2713e19bdcbb063707e776251ea7959b124a4deebe5be4325b0e292817426c6dca726baa1f0d2751
-
SSDEEP
1536:UsH7zaHwNP/JoCaI55tV2LDsBMu/HCmiDcg3MZRP3cEW3AE:UsHf++P/WWGDa6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfghodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cblniaii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indiodbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goodpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfekkgla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niednn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dechlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcjfgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjonpgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpekjie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahpahel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjpdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbiggof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfpmlll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaoiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfegakmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlajdpoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaogbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghaeaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpeajjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohmmojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamncagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gijplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niombolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagfffbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appfggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakjlpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmonoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eidchjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficilgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnppgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eekpknlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhpjfoji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jollgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifngiqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgado32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdhbnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpcmojia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjkbfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmcjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcllmhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boohgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcbjhme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moloidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngpac32.exe -
Executes dropped EXE 64 IoCs
pid Process 2148 Aaogbh32.exe 2760 Anfggicl.exe 2724 Aqgqid32.exe 2812 Aqimoc32.exe 2840 Ampncd32.exe 2672 Bqngjcje.exe 2364 Bkghjq32.exe 1876 Boeppomj.exe 1836 Bnkmakbb.exe 1556 Bjanfl32.exe 1988 Ckajqo32.exe 660 Cmdcngbd.exe 2996 Cikdbhhi.exe 2404 Ccceeqfl.exe 1408 Domffn32.exe 1008 Dlqgob32.exe 1668 Doapanne.exe 2960 Ddnhidmm.exe 1356 Ddqeodjj.exe 1100 Dgoakpjn.exe 2520 Dmiihjak.exe 972 Emkfmioh.exe 560 Eibgbj32.exe 2556 Eidchjbi.exe 864 Ehjqif32.exe 2320 Ehlmnfeo.exe 2184 Fadagl32.exe 2824 Fagnmkjm.exe 2396 Faikbkhj.exe 2876 Fakhhk32.exe 2676 Fdlqjf32.exe 2692 Gfpjgn32.exe 108 Gfbfln32.exe 2572 Gbigao32.exe 924 Gmnlog32.exe 2484 Goodpb32.exe 2104 Hgjieedg.exe 1132 Hgmfjdbe.exe 1764 Haggijgb.exe 2532 Hfflfp32.exe 2196 Ipoqofjh.exe 1820 Ibpjaagi.exe 2224 Iilocklc.exe 2380 Iagchmjn.exe 2356 Ijphqbpo.exe 1512 Jhchjgoh.exe 1040 Jmpqbnmp.exe 944 Jhfepfme.exe 800 Jigagocd.exe 2100 Jpajdi32.exe 2872 Jiinmnaa.exe 1584 Jpcfih32.exe 1576 Jilkbn32.exe 2860 Jpfcohfk.exe 3060 Kokppd32.exe 2316 Kegebn32.exe 1380 Kkdnke32.exe 2528 Kanfgofa.exe 2512 Kdooij32.exe 1796 Kkigfdjo.exe 2392 Kdakoj32.exe 2504 Lkkckdhm.exe 876 Lcfhpf32.exe 2596 Loofjg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2948 ed5bbd0fa522f9783b14292c377cd310N.exe 2948 ed5bbd0fa522f9783b14292c377cd310N.exe 2148 Aaogbh32.exe 2148 Aaogbh32.exe 2760 Anfggicl.exe 2760 Anfggicl.exe 2724 Aqgqid32.exe 2724 Aqgqid32.exe 2812 Aqimoc32.exe 2812 Aqimoc32.exe 2840 Ampncd32.exe 2840 Ampncd32.exe 2672 Bqngjcje.exe 2672 Bqngjcje.exe 2364 Bkghjq32.exe 2364 Bkghjq32.exe 1876 Boeppomj.exe 1876 Boeppomj.exe 1836 Bnkmakbb.exe 1836 Bnkmakbb.exe 1556 Bjanfl32.exe 1556 Bjanfl32.exe 1988 Ckajqo32.exe 1988 Ckajqo32.exe 660 Cmdcngbd.exe 660 Cmdcngbd.exe 2996 Cikdbhhi.exe 2996 Cikdbhhi.exe 2404 Ccceeqfl.exe 2404 Ccceeqfl.exe 1408 Domffn32.exe 1408 Domffn32.exe 1008 Dlqgob32.exe 1008 Dlqgob32.exe 1668 Doapanne.exe 1668 Doapanne.exe 2960 Ddnhidmm.exe 2960 Ddnhidmm.exe 1356 Ddqeodjj.exe 1356 Ddqeodjj.exe 1100 Dgoakpjn.exe 1100 Dgoakpjn.exe 2520 Dmiihjak.exe 2520 Dmiihjak.exe 972 Emkfmioh.exe 972 Emkfmioh.exe 560 Eibgbj32.exe 560 Eibgbj32.exe 2556 Eidchjbi.exe 2556 Eidchjbi.exe 864 Ehjqif32.exe 864 Ehjqif32.exe 2320 Ehlmnfeo.exe 2320 Ehlmnfeo.exe 2184 Fadagl32.exe 2184 Fadagl32.exe 2824 Fagnmkjm.exe 2824 Fagnmkjm.exe 2396 Faikbkhj.exe 2396 Faikbkhj.exe 2876 Fakhhk32.exe 2876 Fakhhk32.exe 2676 Fdlqjf32.exe 2676 Fdlqjf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhchjgoh.exe Ijphqbpo.exe File created C:\Windows\SysWOW64\Jpfcohfk.exe Jilkbn32.exe File opened for modification C:\Windows\SysWOW64\Ahdkhp32.exe Anngkg32.exe File created C:\Windows\SysWOW64\Jjjlglao.dll Nfqbol32.exe File created C:\Windows\SysWOW64\Gheola32.exe Gomjckqc.exe File created C:\Windows\SysWOW64\Eekpknlf.exe Eckcak32.exe File created C:\Windows\SysWOW64\Ndkoemji.exe Mggoli32.exe File created C:\Windows\SysWOW64\Fjchig32.dll Bbhgbj32.exe File created C:\Windows\SysWOW64\Fhofjehd.dll Ngiiip32.exe File opened for modification C:\Windows\SysWOW64\Kldofi32.exe Kbljmd32.exe File opened for modification C:\Windows\SysWOW64\Llpajmkq.exe Lcdmekne.exe File created C:\Windows\SysWOW64\Jlckoh32.exe Jbmgapgc.exe File created C:\Windows\SysWOW64\Ejqmahdn.exe Elmmhc32.exe File opened for modification C:\Windows\SysWOW64\Bmdehgcf.exe Bhglpqeo.exe File created C:\Windows\SysWOW64\Cpbiolnl.exe Cncmei32.exe File opened for modification C:\Windows\SysWOW64\Oikeal32.exe Olgehh32.exe File created C:\Windows\SysWOW64\Cjcfdm32.dll Dbmnjenb.exe File opened for modification C:\Windows\SysWOW64\Kkglim32.exe Khfcgbge.exe File created C:\Windows\SysWOW64\Kkadkelj.dll Lhqpqp32.exe File created C:\Windows\SysWOW64\Dkihaqji.dll Ipkhpk32.exe File opened for modification C:\Windows\SysWOW64\Idcdjmao.exe Injlmcib.exe File created C:\Windows\SysWOW64\Okmkebdg.dll Ehopnk32.exe File created C:\Windows\SysWOW64\Anilobcj.dll Clpeajjb.exe File opened for modification C:\Windows\SysWOW64\Llagegfb.exe Lalchnfl.exe File opened for modification C:\Windows\SysWOW64\Okmceiii.exe Oofbph32.exe File opened for modification C:\Windows\SysWOW64\Llfcik32.exe Lbpolb32.exe File opened for modification C:\Windows\SysWOW64\Gomjckqc.exe Gphmbolk.exe File opened for modification C:\Windows\SysWOW64\Gphokhco.exe Goicaell.exe File created C:\Windows\SysWOW64\Lageje32.dll Gnoaliln.exe File created C:\Windows\SysWOW64\Hglahnha.dll Oikeal32.exe File created C:\Windows\SysWOW64\Epopff32.exe Ejbhno32.exe File created C:\Windows\SysWOW64\Bpekbbmb.dll Gphmbolk.exe File created C:\Windows\SysWOW64\Kgkokjjd.exe Kldofi32.exe File created C:\Windows\SysWOW64\Nelkme32.exe Ndkoemji.exe File created C:\Windows\SysWOW64\Cikdbhhi.exe Cmdcngbd.exe File created C:\Windows\SysWOW64\Bebkdqbc.dll Ibjikk32.exe File created C:\Windows\SysWOW64\Lnobfn32.exe Lhpmhgbf.exe File opened for modification C:\Windows\SysWOW64\Ijphqbpo.exe Iagchmjn.exe File created C:\Windows\SysWOW64\Kcahjqfa.exe Kemgqm32.exe File created C:\Windows\SysWOW64\Mggoli32.exe Mmlmmdga.exe File created C:\Windows\SysWOW64\Jpajdi32.exe Jigagocd.exe File created C:\Windows\SysWOW64\Aagfffbo.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Ajmkkbbd.dll Ficilgai.exe File created C:\Windows\SysWOW64\Jcodcp32.exe Jmelfeqn.exe File opened for modification C:\Windows\SysWOW64\Fimgmj32.exe Fpecddpi.exe File opened for modification C:\Windows\SysWOW64\Kiihcmoi.exe Kmbgnl32.exe File opened for modification C:\Windows\SysWOW64\Bjanfl32.exe Bnkmakbb.exe File created C:\Windows\SysWOW64\Ebpgoh32.exe Eoanij32.exe File opened for modification C:\Windows\SysWOW64\Hqjfgb32.exe Hgbanlfc.exe File created C:\Windows\SysWOW64\Dnbfkh32.exe Dlajdpoc.exe File created C:\Windows\SysWOW64\Ancacpck.dll Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Dieiap32.exe Dpmeij32.exe File created C:\Windows\SysWOW64\Agnopk32.dll Efakhk32.exe File opened for modification C:\Windows\SysWOW64\Hhqmogam.exe Hepdml32.exe File created C:\Windows\SysWOW64\Ofmknifp.exe Ojgkih32.exe File opened for modification C:\Windows\SysWOW64\Aacjba32.exe Agkfil32.exe File created C:\Windows\SysWOW64\Poeepl32.dll Bkghjq32.exe File created C:\Windows\SysWOW64\Pddlggin.exe Pngcnpkg.exe File opened for modification C:\Windows\SysWOW64\Jkeialfp.exe Jfhqiegh.exe File opened for modification C:\Windows\SysWOW64\Anigaeoh.exe Aaegha32.exe File created C:\Windows\SysWOW64\Dndoof32.exe Dbmnjenb.exe File opened for modification C:\Windows\SysWOW64\Aoilcc32.exe Aeahjn32.exe File created C:\Windows\SysWOW64\Nhpbobba.dll Akpfmnmh.exe File opened for modification C:\Windows\SysWOW64\Cgnkkjgd.exe Cgkoejig.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3288 368 WerFault.exe 751 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifloeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjpdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpajmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfepfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlfjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phknlfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbfcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llagegfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enijcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmhpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggphji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpnmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpjfoji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamncagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebpgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihjpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbokkagk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgikklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoakpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbehgabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqpqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Annpaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilalc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpjpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knldaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbncbgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doapanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaffja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfifqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpjaagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfqejoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedokpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpchmb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmhlnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pficnc32.dll" Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emlhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapmlp32.dll" Ghpngkhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcfpmlll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmehqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmhbloc.dll" Cafbmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaodci32.dll" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midfibhi.dll" Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdakoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgodjico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekpna32.dll" Mheekb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooiepnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnogfm.dll" Mpmdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepeep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hepdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odfjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqamaeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaffja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqgkjc32.dll" Ahancp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpajqqn.dll" Eamdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkqbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmnjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmibjdp.dll" Pmjohoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndbfldme.dll" Ajghgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnikgnhe.dll" Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnnj32.dll" Ekndpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paldmbmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcaebh32.dll" Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komhohde.dll" Hnjonpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjonlee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aghidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhfepfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbchijge.dll" Pngcnpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfflfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejpkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpnekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkkmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjanfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicgkof.dll" Mnakjaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejpkho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeakonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iflhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckldighd.dll" Oiqaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfbild.dll" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpmba32.dll" Jfhqiegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbeio32.dll" Coknmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feeldk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfkhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogloedpl.dll" Bjnhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfnebhe.dll" Hpckee32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2148 2948 ed5bbd0fa522f9783b14292c377cd310N.exe 29 PID 2948 wrote to memory of 2148 2948 ed5bbd0fa522f9783b14292c377cd310N.exe 29 PID 2948 wrote to memory of 2148 2948 ed5bbd0fa522f9783b14292c377cd310N.exe 29 PID 2948 wrote to memory of 2148 2948 ed5bbd0fa522f9783b14292c377cd310N.exe 29 PID 2148 wrote to memory of 2760 2148 Aaogbh32.exe 30 PID 2148 wrote to memory of 2760 2148 Aaogbh32.exe 30 PID 2148 wrote to memory of 2760 2148 Aaogbh32.exe 30 PID 2148 wrote to memory of 2760 2148 Aaogbh32.exe 30 PID 2760 wrote to memory of 2724 2760 Anfggicl.exe 31 PID 2760 wrote to memory of 2724 2760 Anfggicl.exe 31 PID 2760 wrote to memory of 2724 2760 Anfggicl.exe 31 PID 2760 wrote to memory of 2724 2760 Anfggicl.exe 31 PID 2724 wrote to memory of 2812 2724 Aqgqid32.exe 32 PID 2724 wrote to memory of 2812 2724 Aqgqid32.exe 32 PID 2724 wrote to memory of 2812 2724 Aqgqid32.exe 32 PID 2724 wrote to memory of 2812 2724 Aqgqid32.exe 32 PID 2812 wrote to memory of 2840 2812 Aqimoc32.exe 33 PID 2812 wrote to memory of 2840 2812 Aqimoc32.exe 33 PID 2812 wrote to memory of 2840 2812 Aqimoc32.exe 33 PID 2812 wrote to memory of 2840 2812 Aqimoc32.exe 33 PID 2840 wrote to memory of 2672 2840 Ampncd32.exe 34 PID 2840 wrote to memory of 2672 2840 Ampncd32.exe 34 PID 2840 wrote to memory of 2672 2840 Ampncd32.exe 34 PID 2840 wrote to memory of 2672 2840 Ampncd32.exe 34 PID 2672 wrote to memory of 2364 2672 Bqngjcje.exe 35 PID 2672 wrote to memory of 2364 2672 Bqngjcje.exe 35 PID 2672 wrote to memory of 2364 2672 Bqngjcje.exe 35 PID 2672 wrote to memory of 2364 2672 Bqngjcje.exe 35 PID 2364 wrote to memory of 1876 2364 Bkghjq32.exe 36 PID 2364 wrote to memory of 1876 2364 Bkghjq32.exe 36 PID 2364 wrote to memory of 1876 2364 Bkghjq32.exe 36 PID 2364 wrote to memory of 1876 2364 Bkghjq32.exe 36 PID 1876 wrote to memory of 1836 1876 Boeppomj.exe 37 PID 1876 wrote to memory of 1836 1876 Boeppomj.exe 37 PID 1876 wrote to memory of 1836 1876 Boeppomj.exe 37 PID 1876 wrote to memory of 1836 1876 Boeppomj.exe 37 PID 1836 wrote to memory of 1556 1836 Bnkmakbb.exe 38 PID 1836 wrote to memory of 1556 1836 Bnkmakbb.exe 38 PID 1836 wrote to memory of 1556 1836 Bnkmakbb.exe 38 PID 1836 wrote to memory of 1556 1836 Bnkmakbb.exe 38 PID 1556 wrote to memory of 1988 1556 Bjanfl32.exe 39 PID 1556 wrote to memory of 1988 1556 Bjanfl32.exe 39 PID 1556 wrote to memory of 1988 1556 Bjanfl32.exe 39 PID 1556 wrote to memory of 1988 1556 Bjanfl32.exe 39 PID 1988 wrote to memory of 660 1988 Ckajqo32.exe 40 PID 1988 wrote to memory of 660 1988 Ckajqo32.exe 40 PID 1988 wrote to memory of 660 1988 Ckajqo32.exe 40 PID 1988 wrote to memory of 660 1988 Ckajqo32.exe 40 PID 660 wrote to memory of 2996 660 Cmdcngbd.exe 41 PID 660 wrote to memory of 2996 660 Cmdcngbd.exe 41 PID 660 wrote to memory of 2996 660 Cmdcngbd.exe 41 PID 660 wrote to memory of 2996 660 Cmdcngbd.exe 41 PID 2996 wrote to memory of 2404 2996 Cikdbhhi.exe 42 PID 2996 wrote to memory of 2404 2996 Cikdbhhi.exe 42 PID 2996 wrote to memory of 2404 2996 Cikdbhhi.exe 42 PID 2996 wrote to memory of 2404 2996 Cikdbhhi.exe 42 PID 2404 wrote to memory of 1408 2404 Ccceeqfl.exe 43 PID 2404 wrote to memory of 1408 2404 Ccceeqfl.exe 43 PID 2404 wrote to memory of 1408 2404 Ccceeqfl.exe 43 PID 2404 wrote to memory of 1408 2404 Ccceeqfl.exe 43 PID 1408 wrote to memory of 1008 1408 Domffn32.exe 44 PID 1408 wrote to memory of 1008 1408 Domffn32.exe 44 PID 1408 wrote to memory of 1008 1408 Domffn32.exe 44 PID 1408 wrote to memory of 1008 1408 Domffn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed5bbd0fa522f9783b14292c377cd310N.exe"C:\Users\Admin\AppData\Local\Temp\ed5bbd0fa522f9783b14292c377cd310N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe33⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe34⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe35⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe36⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe38⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe40⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe42⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe44⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe47⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe48⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe52⤵PID:2416
-
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe54⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Jilkbn32.exeC:\Windows\system32\Jilkbn32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe56⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe57⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe58⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe59⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe60⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe61⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe62⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe64⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe65⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe66⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe67⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe69⤵PID:2084
-
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe71⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe72⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe73⤵PID:1684
-
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe74⤵PID:2936
-
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe75⤵PID:2912
-
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe76⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe78⤵PID:624
-
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe79⤵PID:2160
-
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe80⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe81⤵PID:1412
-
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe84⤵PID:1612
-
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe85⤵PID:544
-
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe86⤵PID:2576
-
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe87⤵PID:556
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe88⤵PID:2440
-
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe89⤵PID:2744
-
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe91⤵PID:2144
-
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe92⤵PID:1632
-
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe93⤵PID:1308
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe94⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe95⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe96⤵PID:1600
-
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe97⤵PID:580
-
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe98⤵PID:1724
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe99⤵PID:1832
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe100⤵PID:2076
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe101⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe102⤵PID:2312
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe103⤵PID:2968
-
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe104⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe105⤵PID:2604
-
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe108⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe110⤵PID:1828
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe111⤵PID:3024
-
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe112⤵PID:1164
-
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe113⤵PID:2300
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe114⤵PID:2752
-
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe115⤵PID:2644
-
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe116⤵PID:552
-
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe117⤵PID:2072
-
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe118⤵PID:1732
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe119⤵PID:2260
-
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe120⤵PID:2304
-
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-