Analysis
-
max time kernel
40s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 15:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81578f355851d1745c0cec51f64ccbf0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
81578f355851d1745c0cec51f64ccbf0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
81578f355851d1745c0cec51f64ccbf0N.exe
-
Size
320KB
-
MD5
81578f355851d1745c0cec51f64ccbf0
-
SHA1
2a23c2b19582a4f67effe60420ca38c45e395468
-
SHA256
0ef89659687efec2cc4775295eb163f06ede8d5d23271efa8a8bb632e53e419d
-
SHA512
a5835b501b0c770bbd12864539024b131e35ec6b608d8348bbe1af9d0761b98fc9463987f2118d7d43c624ac58a003e8f00e362cb4aec499b0b6f1de238b6cb9
-
SSDEEP
6144:697g8q/QZxCoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5RV:6dqoN6t3XGCByvNv54B9f01ZmHByvNvJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpifln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acncngpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chigmlml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enpoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhkdgbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbbodk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljljenoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhikcpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdphbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Folknlae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlibhhme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldobjec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpjlldmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqpgblqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfkidh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbakfcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieepad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goohckob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcfjik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbcaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgfannba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phibbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ediggoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihclmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoqjhiie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekacnjfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbajjiml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfjik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fchgnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpodbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idabbpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afjbecqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjaejbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpjpmqjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gepjgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khlkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdpcgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beibln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poqniegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poegde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amidmldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bamfloef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dadikaaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpbeecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnojpdfb.exe -
Executes dropped EXE 64 IoCs
pid Process 1988 Kdmehh32.exe 2664 Lkgmdbja.exe 2776 Ljljenoi.exe 2884 Liaggk32.exe 2832 Lokpcekn.exe 2628 Lkbphfab.exe 1656 Lfhdeoqh.exe 1788 Mncijanc.exe 2024 Memagk32.exe 2972 Mbabpodi.exe 2984 Mikjmi32.exe 2912 Mllcodig.exe 3068 Mahlgkgo.exe 1888 Mnllppfh.exe 796 Mpnhhh32.exe 2408 Mdidhfdp.exe 2372 Njcmeqkl.exe 1936 Nmdfglhm.exe 2012 Nbqnobge.exe 1436 Nlibhhme.exe 676 Nogodcli.exe 2220 Neagan32.exe 1216 Npgknf32.exe 1620 Nbehjb32.exe 532 Nhbpbi32.exe 1508 Oefqlmpq.exe 2856 Ohdmhhod.exe 3012 Oooeeb32.exe 2888 Odknmi32.exe 1156 Okefjcle.exe 2644 Omdbfo32.exe 564 Oijbkpqm.exe 2204 Omfoko32.exe 600 Occgce32.exe 2820 Oimpppoj.exe 2660 Opghmjfg.exe 2908 Oiolfo32.exe 2672 Pnkhfnea.exe 1288 Pcgqoech.exe 2556 Pefmkpbl.exe 1980 Ponadfim.exe 3040 Pehiqp32.exe 1940 Phgfmk32.exe 2152 Poqniegj.exe 752 Pekffp32.exe 2548 Phibbk32.exe 524 Pldobjec.exe 2284 Pockoeeg.exe 1600 Paagkq32.exe 2016 Pdpcgl32.exe 2768 Pkjkdfjk.exe 2756 Poegde32.exe 2892 Pqfdlmic.exe 2056 Qdbpml32.exe 2240 Qklhifhi.exe 2964 Qnkdeagl.exe 2836 Qqiqam32.exe 1916 Qcgmnh32.exe 2096 Qjaejbmq.exe 3032 Qnmaka32.exe 1500 Adgihkmf.exe 2388 Ageedflj.exe 1512 Ajcbpbkn.exe 628 Ambnlmja.exe -
Loads dropped DLL 64 IoCs
pid Process 1712 81578f355851d1745c0cec51f64ccbf0N.exe 1712 81578f355851d1745c0cec51f64ccbf0N.exe 1988 Kdmehh32.exe 1988 Kdmehh32.exe 2664 Lkgmdbja.exe 2664 Lkgmdbja.exe 2776 Ljljenoi.exe 2776 Ljljenoi.exe 2884 Liaggk32.exe 2884 Liaggk32.exe 2832 Lokpcekn.exe 2832 Lokpcekn.exe 2628 Lkbphfab.exe 2628 Lkbphfab.exe 1656 Lfhdeoqh.exe 1656 Lfhdeoqh.exe 1788 Mncijanc.exe 1788 Mncijanc.exe 2024 Memagk32.exe 2024 Memagk32.exe 2972 Mbabpodi.exe 2972 Mbabpodi.exe 2984 Mikjmi32.exe 2984 Mikjmi32.exe 2912 Mllcodig.exe 2912 Mllcodig.exe 3068 Mahlgkgo.exe 3068 Mahlgkgo.exe 1888 Mnllppfh.exe 1888 Mnllppfh.exe 796 Mpnhhh32.exe 796 Mpnhhh32.exe 2408 Mdidhfdp.exe 2408 Mdidhfdp.exe 2372 Njcmeqkl.exe 2372 Njcmeqkl.exe 1936 Nmdfglhm.exe 1936 Nmdfglhm.exe 2012 Nbqnobge.exe 2012 Nbqnobge.exe 1436 Nlibhhme.exe 1436 Nlibhhme.exe 676 Nogodcli.exe 676 Nogodcli.exe 2220 Neagan32.exe 2220 Neagan32.exe 1216 Npgknf32.exe 1216 Npgknf32.exe 1620 Nbehjb32.exe 1620 Nbehjb32.exe 532 Nhbpbi32.exe 532 Nhbpbi32.exe 1508 Oefqlmpq.exe 1508 Oefqlmpq.exe 2856 Ohdmhhod.exe 2856 Ohdmhhod.exe 3012 Oooeeb32.exe 3012 Oooeeb32.exe 2888 Odknmi32.exe 2888 Odknmi32.exe 1156 Okefjcle.exe 1156 Okefjcle.exe 2644 Omdbfo32.exe 2644 Omdbfo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Impdeg32.exe Ijahik32.exe File opened for modification C:\Windows\SysWOW64\Jokccnci.exe Jphcgq32.exe File created C:\Windows\SysWOW64\Cibnfpjg.exe Cbhejf32.exe File created C:\Windows\SysWOW64\Mfodloop.dll Ckjqog32.exe File opened for modification C:\Windows\SysWOW64\Fdnabo32.exe Flgiaa32.exe File opened for modification C:\Windows\SysWOW64\Giiibqdp.exe Gqbaqccn.exe File created C:\Windows\SysWOW64\Bknani32.exe Bgbemjqh.exe File created C:\Windows\SysWOW64\Cokaco32.dll Cmnjgo32.exe File created C:\Windows\SysWOW64\Cekkaanh.exe Clcghk32.exe File created C:\Windows\SysWOW64\Llefld32.exe Kbpbokop.exe File opened for modification C:\Windows\SysWOW64\Oimpppoj.exe Occgce32.exe File created C:\Windows\SysWOW64\Bahkggfo.dll Bamfloef.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Eiipfbgj.exe File created C:\Windows\SysWOW64\Ohkmdami.dll Jinkkgeb.exe File created C:\Windows\SysWOW64\Gongob32.dll Khlkba32.exe File created C:\Windows\SysWOW64\Pidjce32.dll 81578f355851d1745c0cec51f64ccbf0N.exe File opened for modification C:\Windows\SysWOW64\Pnkhfnea.exe Oiolfo32.exe File created C:\Windows\SysWOW64\Gknlbd32.dll Eemded32.exe File created C:\Windows\SysWOW64\Idofmp32.exe Imenpfap.exe File created C:\Windows\SysWOW64\Dhgehheg.dll Giiibqdp.exe File created C:\Windows\SysWOW64\Hhaogp32.exe Haggkf32.exe File created C:\Windows\SysWOW64\Mncijanc.exe Lfhdeoqh.exe File opened for modification C:\Windows\SysWOW64\Pkjkdfjk.exe Pdpcgl32.exe File created C:\Windows\SysWOW64\Dpnogmbl.exe Dmpckbci.exe File opened for modification C:\Windows\SysWOW64\Epnkfq32.exe Enpoje32.exe File created C:\Windows\SysWOW64\Fmjopiol.dll Fkflii32.exe File created C:\Windows\SysWOW64\Jcaqggik.dll Gglimm32.exe File opened for modification C:\Windows\SysWOW64\Jhedachg.exe Jegheghc.exe File created C:\Windows\SysWOW64\Knnnnpad.dll Mncijanc.exe File opened for modification C:\Windows\SysWOW64\Pqfdlmic.exe Poegde32.exe File created C:\Windows\SysWOW64\Hppekf32.dll Cffnpdip.exe File created C:\Windows\SysWOW64\Mdhdigjp.dll Eafapd32.exe File created C:\Windows\SysWOW64\Phgfmk32.exe Pehiqp32.exe File opened for modification C:\Windows\SysWOW64\Qklhifhi.exe Qdbpml32.exe File opened for modification C:\Windows\SysWOW64\Bgebcj32.exe Bbhikcpn.exe File created C:\Windows\SysWOW64\Bfmlif32.exe Bgjknijp.exe File created C:\Windows\SysWOW64\Bmepiqlp.dll Dpifln32.exe File created C:\Windows\SysWOW64\Dplbbndo.exe Daibfa32.exe File created C:\Windows\SysWOW64\Kgfannba.exe Kooimpao.exe File opened for modification C:\Windows\SysWOW64\Pefmkpbl.exe Pcgqoech.exe File created C:\Windows\SysWOW64\Ainhln32.exe Aebllocg.exe File created C:\Windows\SysWOW64\Ggjmhn32.exe Gfippego.exe File created C:\Windows\SysWOW64\Bndckc32.exe Bfmlif32.exe File opened for modification C:\Windows\SysWOW64\Dmbpaa32.exe Dekgpdqc.exe File created C:\Windows\SysWOW64\Pekffp32.exe Poqniegj.exe File created C:\Windows\SysWOW64\Qdbpml32.exe Pqfdlmic.exe File opened for modification C:\Windows\SysWOW64\Qjaejbmq.exe Qcgmnh32.exe File created C:\Windows\SysWOW64\Bapcaocc.exe Bnagecdp.exe File opened for modification C:\Windows\SysWOW64\Nmdfglhm.exe Njcmeqkl.exe File created C:\Windows\SysWOW64\Dgephkni.dll Abfmecba.exe File opened for modification C:\Windows\SysWOW64\Nhbpbi32.exe Nbehjb32.exe File created C:\Windows\SysWOW64\Iikneggd.exe Ibafhmph.exe File created C:\Windows\SysWOW64\Kjngjj32.exe Kgoknohj.exe File created C:\Windows\SysWOW64\Npgknf32.exe Neagan32.exe File created C:\Windows\SysWOW64\Occgce32.exe Omfoko32.exe File created C:\Windows\SysWOW64\Jlcmhann.exe Jdlefd32.exe File opened for modification C:\Windows\SysWOW64\Kdckgc32.exe Kaeokg32.exe File created C:\Windows\SysWOW64\Qdmcqp32.dll Gkehhlef.exe File opened for modification C:\Windows\SysWOW64\Jphcgq32.exe Jmigke32.exe File created C:\Windows\SysWOW64\Ggqmnecg.dll Jkhjin32.exe File created C:\Windows\SysWOW64\Pldobjec.exe Phibbk32.exe File created C:\Windows\SysWOW64\Cmnjgo32.exe Cibnfpjg.exe File opened for modification C:\Windows\SysWOW64\Amgggm32.exe Aikkgnnc.exe File created C:\Windows\SysWOW64\Fjmfpe32.exe Fgojdj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3996 3976 WerFault.exe 311 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aediaoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coofoghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjbecqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepjgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idofmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odknmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgqoech.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcnmnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedjfchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaankpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidledja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopqoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebllocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphcgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgahcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgddin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liaggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjdpdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpifln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfkoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njcmeqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neagan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageedflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amidmldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbajjiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgmdbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chigmlml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeagpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfkidh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenhfqle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlcmhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijbkpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikneggd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpliac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncijanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paagkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdidhfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgfmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfippego.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gccjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbakfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffomjgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbokop.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgbemjqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjdmjiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcejjpfg.dll" Ohdmhhod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paagkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlcmhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neagan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omdbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbhejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpligk32.dll" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbpbokop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okefjcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnmgmec.dll" Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgaphb32.dll" Hnhjok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbmdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfippego.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poqniegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjdhcie.dll" Qklhifhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifqec32.dll" Ekacnjfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqpffok.dll" Goohckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidjce32.dll" 81578f355851d1745c0cec51f64ccbf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfhdeoqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oefqlmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdcmn32.dll" Poqniegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiipfbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aebllocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmlblq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hllkhoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcoalho.dll" Pehiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idabbpgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnlkl32.dll" Jpjpmqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakhhhfi.dll" Jndjoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffomjgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpfkgh.dll" Npgknf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbcdfpo.dll" Ifhinl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ponadfim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poegde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Digipn32.dll" Enmbeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkflii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjec32.dll" Nbqnobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlibhhme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpcnmnnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmigke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiclffeg.dll" Hfkidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iaicpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cibnfpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoemc32.dll" Ehbgbngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdndmmmb.dll" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjpkgoq.dll" Gninpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jokccnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lokpcekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mboacdjn.dll" Kdckgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lodbhp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1988 1712 81578f355851d1745c0cec51f64ccbf0N.exe 29 PID 1712 wrote to memory of 1988 1712 81578f355851d1745c0cec51f64ccbf0N.exe 29 PID 1712 wrote to memory of 1988 1712 81578f355851d1745c0cec51f64ccbf0N.exe 29 PID 1712 wrote to memory of 1988 1712 81578f355851d1745c0cec51f64ccbf0N.exe 29 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 2664 wrote to memory of 2776 2664 Lkgmdbja.exe 31 PID 2664 wrote to memory of 2776 2664 Lkgmdbja.exe 31 PID 2664 wrote to memory of 2776 2664 Lkgmdbja.exe 31 PID 2664 wrote to memory of 2776 2664 Lkgmdbja.exe 31 PID 2776 wrote to memory of 2884 2776 Ljljenoi.exe 32 PID 2776 wrote to memory of 2884 2776 Ljljenoi.exe 32 PID 2776 wrote to memory of 2884 2776 Ljljenoi.exe 32 PID 2776 wrote to memory of 2884 2776 Ljljenoi.exe 32 PID 2884 wrote to memory of 2832 2884 Liaggk32.exe 33 PID 2884 wrote to memory of 2832 2884 Liaggk32.exe 33 PID 2884 wrote to memory of 2832 2884 Liaggk32.exe 33 PID 2884 wrote to memory of 2832 2884 Liaggk32.exe 33 PID 2832 wrote to memory of 2628 2832 Lokpcekn.exe 34 PID 2832 wrote to memory of 2628 2832 Lokpcekn.exe 34 PID 2832 wrote to memory of 2628 2832 Lokpcekn.exe 34 PID 2832 wrote to memory of 2628 2832 Lokpcekn.exe 34 PID 2628 wrote to memory of 1656 2628 Lkbphfab.exe 35 PID 2628 wrote to memory of 1656 2628 Lkbphfab.exe 35 PID 2628 wrote to memory of 1656 2628 Lkbphfab.exe 35 PID 2628 wrote to memory of 1656 2628 Lkbphfab.exe 35 PID 1656 wrote to memory of 1788 1656 Lfhdeoqh.exe 36 PID 1656 wrote to memory of 1788 1656 Lfhdeoqh.exe 36 PID 1656 wrote to memory of 1788 1656 Lfhdeoqh.exe 36 PID 1656 wrote to memory of 1788 1656 Lfhdeoqh.exe 36 PID 1788 wrote to memory of 2024 1788 Mncijanc.exe 37 PID 1788 wrote to memory of 2024 1788 Mncijanc.exe 37 PID 1788 wrote to memory of 2024 1788 Mncijanc.exe 37 PID 1788 wrote to memory of 2024 1788 Mncijanc.exe 37 PID 2024 wrote to memory of 2972 2024 Memagk32.exe 38 PID 2024 wrote to memory of 2972 2024 Memagk32.exe 38 PID 2024 wrote to memory of 2972 2024 Memagk32.exe 38 PID 2024 wrote to memory of 2972 2024 Memagk32.exe 38 PID 2972 wrote to memory of 2984 2972 Mbabpodi.exe 39 PID 2972 wrote to memory of 2984 2972 Mbabpodi.exe 39 PID 2972 wrote to memory of 2984 2972 Mbabpodi.exe 39 PID 2972 wrote to memory of 2984 2972 Mbabpodi.exe 39 PID 2984 wrote to memory of 2912 2984 Mikjmi32.exe 40 PID 2984 wrote to memory of 2912 2984 Mikjmi32.exe 40 PID 2984 wrote to memory of 2912 2984 Mikjmi32.exe 40 PID 2984 wrote to memory of 2912 2984 Mikjmi32.exe 40 PID 2912 wrote to memory of 3068 2912 Mllcodig.exe 41 PID 2912 wrote to memory of 3068 2912 Mllcodig.exe 41 PID 2912 wrote to memory of 3068 2912 Mllcodig.exe 41 PID 2912 wrote to memory of 3068 2912 Mllcodig.exe 41 PID 3068 wrote to memory of 1888 3068 Mahlgkgo.exe 42 PID 3068 wrote to memory of 1888 3068 Mahlgkgo.exe 42 PID 3068 wrote to memory of 1888 3068 Mahlgkgo.exe 42 PID 3068 wrote to memory of 1888 3068 Mahlgkgo.exe 42 PID 1888 wrote to memory of 796 1888 Mnllppfh.exe 43 PID 1888 wrote to memory of 796 1888 Mnllppfh.exe 43 PID 1888 wrote to memory of 796 1888 Mnllppfh.exe 43 PID 1888 wrote to memory of 796 1888 Mnllppfh.exe 43 PID 796 wrote to memory of 2408 796 Mpnhhh32.exe 44 PID 796 wrote to memory of 2408 796 Mpnhhh32.exe 44 PID 796 wrote to memory of 2408 796 Mpnhhh32.exe 44 PID 796 wrote to memory of 2408 796 Mpnhhh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\81578f355851d1745c0cec51f64ccbf0N.exe"C:\Users\Admin\AppData\Local\Temp\81578f355851d1745c0cec51f64ccbf0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Lkgmdbja.exeC:\Windows\system32\Lkgmdbja.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Liaggk32.exeC:\Windows\system32\Liaggk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Lokpcekn.exeC:\Windows\system32\Lokpcekn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lfhdeoqh.exeC:\Windows\system32\Lfhdeoqh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Memagk32.exeC:\Windows\system32\Memagk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Mbabpodi.exeC:\Windows\system32\Mbabpodi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Mllcodig.exeC:\Windows\system32\Mllcodig.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Mahlgkgo.exeC:\Windows\system32\Mahlgkgo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Mpnhhh32.exeC:\Windows\system32\Mpnhhh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Njcmeqkl.exeC:\Windows\system32\Njcmeqkl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Nbqnobge.exeC:\Windows\system32\Nbqnobge.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Nlibhhme.exeC:\Windows\system32\Nlibhhme.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Nogodcli.exeC:\Windows\system32\Nogodcli.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Neagan32.exeC:\Windows\system32\Neagan32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Npgknf32.exeC:\Windows\system32\Npgknf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Nbehjb32.exeC:\Windows\system32\Nbehjb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Oefqlmpq.exeC:\Windows\system32\Oefqlmpq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Omdbfo32.exeC:\Windows\system32\Omdbfo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe36⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe37⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe41⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe46⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe52⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe58⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe61⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe62⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe64⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe65⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Aoqjhiie.exeC:\Windows\system32\Aoqjhiie.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe68⤵PID:2036
-
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe71⤵PID:2956
-
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe72⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe74⤵PID:2404
-
C:\Windows\SysWOW64\Afolpb32.exeC:\Windows\system32\Afolpb32.exe75⤵PID:2436
-
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe77⤵PID:2480
-
C:\Windows\SysWOW64\Amidmldj.exeC:\Windows\system32\Amidmldj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Anjqdd32.exeC:\Windows\system32\Anjqdd32.exe79⤵PID:932
-
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe80⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe81⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Bknani32.exeC:\Windows\system32\Bknani32.exe83⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Bnmmjd32.exeC:\Windows\system32\Bnmmjd32.exe84⤵PID:1848
-
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Bgebcj32.exeC:\Windows\system32\Bgebcj32.exe86⤵PID:2680
-
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe91⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe92⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe93⤵PID:3036
-
C:\Windows\SysWOW64\Bgjknijp.exeC:\Windows\system32\Bgjknijp.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe96⤵PID:2260
-
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe97⤵PID:1884
-
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe98⤵PID:2304
-
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe99⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe100⤵PID:2584
-
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe101⤵PID:2040
-
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe102⤵PID:2364
-
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe103⤵PID:1192
-
C:\Windows\SysWOW64\Cceenilo.exeC:\Windows\system32\Cceenilo.exe104⤵PID:2044
-
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe107⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe108⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Cffnpdip.exeC:\Windows\system32\Cffnpdip.exe109⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe110⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe111⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Cboljemb.exeC:\Windows\system32\Cboljemb.exe113⤵PID:756
-
C:\Windows\SysWOW64\Cenhfqle.exeC:\Windows\system32\Cenhfqle.exe114⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe116⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe118⤵
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Dhnahl32.exeC:\Windows\system32\Dhnahl32.exe119⤵PID:584
-
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-