Analysis
-
max time kernel
88s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 09:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b23af8ecfdce56e32de88f2e78d4b40N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
5b23af8ecfdce56e32de88f2e78d4b40N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5b23af8ecfdce56e32de88f2e78d4b40N.exe
-
Size
1.5MB
-
MD5
5b23af8ecfdce56e32de88f2e78d4b40
-
SHA1
9800ce93e0475cf7ea29a59a81a749550b7f8fca
-
SHA256
ada2637947102facc1a045048ebc35b9695bd39f410249d279757608a55a560a
-
SHA512
b7e1bf89ffac3dc0cfe72c3d4a645cbfbfaeed3c6c71b8a660a936bbdbc937a73e07cac5101afa83b97e8dbde0caec5ffe62eb16cabc0712afd0cc254a3eb412
-
SSDEEP
24576:H8fyvzecvHPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWAU:H8fyvKcvXbazR0vKLXZ6U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkpmaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gamnhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onoqfehp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqkofno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coladm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbnhmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occjjnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adipfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofqpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmcgmkil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andjgidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngekdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnlocgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imggplgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejkhlip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhdcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cblfdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eannmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpeljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feggob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqennbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlmljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phledp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibbgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihgmdih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caokmd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2412 Hpjeialg.exe 2352 Hbiaemkk.exe 2752 Ifampo32.exe 2840 Jodhdp32.exe 2780 Jlhhndno.exe 2620 Kcmcoblm.exe 2488 Kbigpn32.exe 2964 Lcaiiejc.exe 2900 Lqejbiim.exe 324 Necogkbo.exe 312 Ndmecgba.exe 2064 Ohcdhi32.exe 2124 Pdakniag.exe 2108 Panaeb32.exe 448 Qdojgmfe.exe 1596 Bbbgod32.exe 640 Bbjmpcab.exe 2988 Cjgoje32.exe 920 Cpdgbm32.exe 2516 Ccbphk32.exe 2520 Clmdmm32.exe 3036 Cehfkb32.exe 1032 Clbnhmjo.exe 2008 Cblfdg32.exe 1588 Difnaqih.exe 2336 Dhpemm32.exe 2764 Dmmmfc32.exe 2984 Eiekpd32.exe 2632 Eoepnk32.exe 2640 Ecploipa.exe 2684 Elipgofb.exe 672 Fnofjfhk.exe 108 Fhdjgoha.exe 2304 Fkbgckgd.exe 2092 Fgldnkkf.exe 548 Gfcnegnk.exe 1160 Ghajacmo.exe 2312 Gkpfmnlb.exe 2400 Gnaooi32.exe 2320 Gkglnm32.exe 1036 Gneijien.exe 292 Hmkeke32.exe 1524 Hcdnhoac.exe 1336 Hcgjmo32.exe 1300 Hakkgc32.exe 1708 Hfjpdjjo.exe 1392 Hmdhad32.exe 884 Inhanl32.exe 2260 Iafnjg32.exe 1740 Iedfqeka.exe 2812 Ihdpbq32.exe 2884 Ijclol32.exe 2616 Jmdepg32.exe 2728 Jdnmma32.exe 1444 Jfliim32.exe 2672 Jojkco32.exe 264 Jgabdlfb.exe 1828 Jefpeh32.exe 2120 Jondnnbk.exe 848 Kkeecogo.exe 2112 Kncaojfb.exe 708 Kdpfadlm.exe 1292 Kjmnjkjd.exe 1504 Kpicle32.exe -
Loads dropped DLL 64 IoCs
pid Process 1304 5b23af8ecfdce56e32de88f2e78d4b40N.exe 1304 5b23af8ecfdce56e32de88f2e78d4b40N.exe 2412 Hpjeialg.exe 2412 Hpjeialg.exe 2352 Hbiaemkk.exe 2352 Hbiaemkk.exe 2752 Ifampo32.exe 2752 Ifampo32.exe 2840 Jodhdp32.exe 2840 Jodhdp32.exe 2780 Jlhhndno.exe 2780 Jlhhndno.exe 2620 Kcmcoblm.exe 2620 Kcmcoblm.exe 2488 Kbigpn32.exe 2488 Kbigpn32.exe 2964 Lcaiiejc.exe 2964 Lcaiiejc.exe 2900 Lqejbiim.exe 2900 Lqejbiim.exe 324 Necogkbo.exe 324 Necogkbo.exe 312 Ndmecgba.exe 312 Ndmecgba.exe 2064 Ohcdhi32.exe 2064 Ohcdhi32.exe 2124 Pdakniag.exe 2124 Pdakniag.exe 2108 Panaeb32.exe 2108 Panaeb32.exe 448 Qdojgmfe.exe 448 Qdojgmfe.exe 1596 Bbbgod32.exe 1596 Bbbgod32.exe 640 Bbjmpcab.exe 640 Bbjmpcab.exe 2988 Cjgoje32.exe 2988 Cjgoje32.exe 920 Cpdgbm32.exe 920 Cpdgbm32.exe 2516 Ccbphk32.exe 2516 Ccbphk32.exe 2520 Clmdmm32.exe 2520 Clmdmm32.exe 3036 Cehfkb32.exe 3036 Cehfkb32.exe 1032 Clbnhmjo.exe 1032 Clbnhmjo.exe 2008 Cblfdg32.exe 2008 Cblfdg32.exe 1588 Difnaqih.exe 1588 Difnaqih.exe 2336 Dhpemm32.exe 2336 Dhpemm32.exe 2764 Dmmmfc32.exe 2764 Dmmmfc32.exe 2984 Eiekpd32.exe 2984 Eiekpd32.exe 2632 Eoepnk32.exe 2632 Eoepnk32.exe 2640 Ecploipa.exe 2640 Ecploipa.exe 2684 Elipgofb.exe 2684 Elipgofb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kcjjof32.dll Eiekpd32.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Khjgel32.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Nghpjn32.exe Nomkfk32.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jefpeh32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bqeqqk32.exe File created C:\Windows\SysWOW64\Khadpa32.exe Keqkofno.exe File opened for modification C:\Windows\SysWOW64\Ieofkp32.exe Hbnmienj.exe File created C:\Windows\SysWOW64\Bqhmfl32.dll Ejklan32.exe File created C:\Windows\SysWOW64\Nanhfpff.dll Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Cdmepgce.exe Cgidfcdk.exe File created C:\Windows\SysWOW64\Hfebhmbm.exe Hajfgnjc.exe File opened for modification C:\Windows\SysWOW64\Hplphd32.exe Hipkfkgh.exe File created C:\Windows\SysWOW64\Opialpld.exe Oimmjffj.exe File opened for modification C:\Windows\SysWOW64\Peeabm32.exe Pkjqcg32.exe File created C:\Windows\SysWOW64\Iilaldhd.dll Dfkjgm32.exe File created C:\Windows\SysWOW64\Ngpcohbm.exe Npfjbn32.exe File opened for modification C:\Windows\SysWOW64\Ccbphk32.exe Cpdgbm32.exe File created C:\Windows\SysWOW64\Ncnngfna.exe Nbjeinje.exe File created C:\Windows\SysWOW64\Kaggbihl.exe Kjkbpp32.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Khadpa32.exe Keqkofno.exe File opened for modification C:\Windows\SysWOW64\Pnhjgj32.exe Pljnkodm.exe File opened for modification C:\Windows\SysWOW64\Aegkfpah.exe Aeenapck.exe File created C:\Windows\SysWOW64\Elnpioai.dll Djiqdb32.exe File created C:\Windows\SysWOW64\Aeganjdl.dll Ohmoco32.exe File created C:\Windows\SysWOW64\Alonfb32.dll Mdldeo32.exe File opened for modification C:\Windows\SysWOW64\Iejkhlip.exe Imogcj32.exe File created C:\Windows\SysWOW64\Kngekdnf.exe Kpbhjh32.exe File opened for modification C:\Windows\SysWOW64\Coladm32.exe Cnhhge32.exe File created C:\Windows\SysWOW64\Ficfbkij.dll Enpban32.exe File created C:\Windows\SysWOW64\Pobiicng.dll Gaplfinb.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Djiqdb32.exe File opened for modification C:\Windows\SysWOW64\Hbdjcffd.exe Gqaafn32.exe File opened for modification C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Inepgn32.exe Hhfkihon.exe File created C:\Windows\SysWOW64\Dcming32.dll Pkjqcg32.exe File opened for modification C:\Windows\SysWOW64\Obmpgjbb.exe Offpbi32.exe File opened for modification C:\Windows\SysWOW64\Eheglk32.exe Dbfbnddq.exe File created C:\Windows\SysWOW64\Dahkok32.exe Deakjjbk.exe File created C:\Windows\SysWOW64\Bccjfi32.dll Kkojbf32.exe File created C:\Windows\SysWOW64\Eebibf32.exe Ecnpdnho.exe File opened for modification C:\Windows\SysWOW64\Gmkjgfmf.exe Gimaah32.exe File created C:\Windows\SysWOW64\Aiaoclgl.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Pfgqnf32.dll Hdbbnd32.exe File created C:\Windows\SysWOW64\Okhdnm32.dll Obhdcanc.exe File created C:\Windows\SysWOW64\Eneegl32.dll Ppddpd32.exe File opened for modification C:\Windows\SysWOW64\Jlhhndno.exe Jodhdp32.exe File created C:\Windows\SysWOW64\Gjkaenpg.dll Bkkgfm32.exe File opened for modification C:\Windows\SysWOW64\Nflfad32.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Gogckopd.dll Mokkegmm.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Cdcjgnbc.exe File opened for modification C:\Windows\SysWOW64\Hghillnd.exe Hfepod32.exe File created C:\Windows\SysWOW64\Fijbco32.exe Fihfnp32.exe File created C:\Windows\SysWOW64\Godgdfic.dll Pimkbbpi.exe File created C:\Windows\SysWOW64\Ciffggmh.dll Mdiefffn.exe File created C:\Windows\SysWOW64\Hnhgha32.exe Gglbfg32.exe File created C:\Windows\SysWOW64\Gfbejp32.dll Aegkfpah.exe File opened for modification C:\Windows\SysWOW64\Ngpcohbm.exe Npfjbn32.exe File created C:\Windows\SysWOW64\Djoeki32.exe Dgqion32.exe File created C:\Windows\SysWOW64\Dclcqbcj.dll Odnobj32.exe File created C:\Windows\SysWOW64\Omqjgl32.exe Onkmfofg.exe File opened for modification C:\Windows\SysWOW64\Olbfagca.exe Oidiekdn.exe File created C:\Windows\SysWOW64\Laleof32.exe Kkpqlm32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjpdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpemhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejiodbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmefaan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonlkcho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggbihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbojjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doabjbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdgipkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnlaqhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpmog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqennbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebialmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfnkqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhninb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facdgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplphd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll" Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaokbi32.dll" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajjg32.dll" Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnokgjk.dll" Ehlmljkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofcbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebpcpj.dll" Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miglefjd.dll" Bkknac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfleblle.dll" Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qklhgdgp.dll" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgpacpe.dll" Fnadkjlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhjppcf.dll" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplkbo32.dll" Oekehomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqennbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdjgoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmmbaal.dll" Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfemmna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chgnneiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbobaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fchkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Occjjnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfggkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll" Ddppmclb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnadkjlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldhk32.dll" Mhninb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhadf32.dll" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbelhkp.dll" Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephdjeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnpepil.dll" Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbclaqa.dll" Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfeeehni.dll" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnknoogp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 2412 1304 5b23af8ecfdce56e32de88f2e78d4b40N.exe 30 PID 1304 wrote to memory of 2412 1304 5b23af8ecfdce56e32de88f2e78d4b40N.exe 30 PID 1304 wrote to memory of 2412 1304 5b23af8ecfdce56e32de88f2e78d4b40N.exe 30 PID 1304 wrote to memory of 2412 1304 5b23af8ecfdce56e32de88f2e78d4b40N.exe 30 PID 2412 wrote to memory of 2352 2412 Hpjeialg.exe 31 PID 2412 wrote to memory of 2352 2412 Hpjeialg.exe 31 PID 2412 wrote to memory of 2352 2412 Hpjeialg.exe 31 PID 2412 wrote to memory of 2352 2412 Hpjeialg.exe 31 PID 2352 wrote to memory of 2752 2352 Hbiaemkk.exe 32 PID 2352 wrote to memory of 2752 2352 Hbiaemkk.exe 32 PID 2352 wrote to memory of 2752 2352 Hbiaemkk.exe 32 PID 2352 wrote to memory of 2752 2352 Hbiaemkk.exe 32 PID 2752 wrote to memory of 2840 2752 Ifampo32.exe 33 PID 2752 wrote to memory of 2840 2752 Ifampo32.exe 33 PID 2752 wrote to memory of 2840 2752 Ifampo32.exe 33 PID 2752 wrote to memory of 2840 2752 Ifampo32.exe 33 PID 2840 wrote to memory of 2780 2840 Jodhdp32.exe 34 PID 2840 wrote to memory of 2780 2840 Jodhdp32.exe 34 PID 2840 wrote to memory of 2780 2840 Jodhdp32.exe 34 PID 2840 wrote to memory of 2780 2840 Jodhdp32.exe 34 PID 2780 wrote to memory of 2620 2780 Jlhhndno.exe 35 PID 2780 wrote to memory of 2620 2780 Jlhhndno.exe 35 PID 2780 wrote to memory of 2620 2780 Jlhhndno.exe 35 PID 2780 wrote to memory of 2620 2780 Jlhhndno.exe 35 PID 2620 wrote to memory of 2488 2620 Kcmcoblm.exe 36 PID 2620 wrote to memory of 2488 2620 Kcmcoblm.exe 36 PID 2620 wrote to memory of 2488 2620 Kcmcoblm.exe 36 PID 2620 wrote to memory of 2488 2620 Kcmcoblm.exe 36 PID 2488 wrote to memory of 2964 2488 Kbigpn32.exe 37 PID 2488 wrote to memory of 2964 2488 Kbigpn32.exe 37 PID 2488 wrote to memory of 2964 2488 Kbigpn32.exe 37 PID 2488 wrote to memory of 2964 2488 Kbigpn32.exe 37 PID 2964 wrote to memory of 2900 2964 Lcaiiejc.exe 38 PID 2964 wrote to memory of 2900 2964 Lcaiiejc.exe 38 PID 2964 wrote to memory of 2900 2964 Lcaiiejc.exe 38 PID 2964 wrote to memory of 2900 2964 Lcaiiejc.exe 38 PID 2900 wrote to memory of 324 2900 Lqejbiim.exe 39 PID 2900 wrote to memory of 324 2900 Lqejbiim.exe 39 PID 2900 wrote to memory of 324 2900 Lqejbiim.exe 39 PID 2900 wrote to memory of 324 2900 Lqejbiim.exe 39 PID 324 wrote to memory of 312 324 Necogkbo.exe 40 PID 324 wrote to memory of 312 324 Necogkbo.exe 40 PID 324 wrote to memory of 312 324 Necogkbo.exe 40 PID 324 wrote to memory of 312 324 Necogkbo.exe 40 PID 312 wrote to memory of 2064 312 Ndmecgba.exe 41 PID 312 wrote to memory of 2064 312 Ndmecgba.exe 41 PID 312 wrote to memory of 2064 312 Ndmecgba.exe 41 PID 312 wrote to memory of 2064 312 Ndmecgba.exe 41 PID 2064 wrote to memory of 2124 2064 Ohcdhi32.exe 42 PID 2064 wrote to memory of 2124 2064 Ohcdhi32.exe 42 PID 2064 wrote to memory of 2124 2064 Ohcdhi32.exe 42 PID 2064 wrote to memory of 2124 2064 Ohcdhi32.exe 42 PID 2124 wrote to memory of 2108 2124 Pdakniag.exe 43 PID 2124 wrote to memory of 2108 2124 Pdakniag.exe 43 PID 2124 wrote to memory of 2108 2124 Pdakniag.exe 43 PID 2124 wrote to memory of 2108 2124 Pdakniag.exe 43 PID 2108 wrote to memory of 448 2108 Panaeb32.exe 44 PID 2108 wrote to memory of 448 2108 Panaeb32.exe 44 PID 2108 wrote to memory of 448 2108 Panaeb32.exe 44 PID 2108 wrote to memory of 448 2108 Panaeb32.exe 44 PID 448 wrote to memory of 1596 448 Qdojgmfe.exe 45 PID 448 wrote to memory of 1596 448 Qdojgmfe.exe 45 PID 448 wrote to memory of 1596 448 Qdojgmfe.exe 45 PID 448 wrote to memory of 1596 448 Qdojgmfe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b23af8ecfdce56e32de88f2e78d4b40N.exe"C:\Users\Admin\AppData\Local\Temp\5b23af8ecfdce56e32de88f2e78d4b40N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe33⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe35⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe36⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe37⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe38⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe39⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe40⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe42⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe43⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe44⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe46⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe48⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe50⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe51⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe52⤵PID:2256
-
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe53⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe54⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe59⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe61⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe63⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe64⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe65⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe67⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe68⤵PID:2056
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe69⤵PID:1720
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe70⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe71⤵PID:2036
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe72⤵PID:2892
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe73⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe74⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe75⤵PID:2648
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe76⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe77⤵PID:3052
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe78⤵PID:1492
-
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe79⤵PID:1280
-
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe81⤵PID:2560
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe82⤵PID:2992
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe83⤵PID:1652
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe84⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe85⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe86⤵PID:844
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe87⤵PID:1792
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe90⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe91⤵PID:2980
-
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe92⤵PID:2344
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe94⤵PID:780
-
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe95⤵PID:2204
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe97⤵PID:3000
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe98⤵PID:1356
-
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe99⤵PID:1340
-
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe100⤵PID:2436
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe103⤵PID:1692
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe104⤵PID:2760
-
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe106⤵PID:1156
-
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe107⤵PID:2952
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe109⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe111⤵PID:1632
-
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe112⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe113⤵PID:1812
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe114⤵PID:2888
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe115⤵PID:2448
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe116⤵PID:1920
-
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe117⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe118⤵PID:2720
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe119⤵PID:1512
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe120⤵PID:892
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe121⤵
- Modifies registry class
PID:1704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-