Analysis
-
max time kernel
35s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 18:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee3be3cd22a046a8e1d0ee03e7fd8810N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ee3be3cd22a046a8e1d0ee03e7fd8810N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ee3be3cd22a046a8e1d0ee03e7fd8810N.exe
-
Size
512KB
-
MD5
ee3be3cd22a046a8e1d0ee03e7fd8810
-
SHA1
647908ddb55db682a3422366d1ca9a6071a7b7c3
-
SHA256
32b9c6ec6bbd8e5f445d3eb558453737f585cb4826bcdc243de2616f9f814d45
-
SHA512
512a4f4befa66338fc6a4e957bc664aeac39086d8feb96a154661b02ff77eedd6b6dad7ff4ca11b29ccfe89ebca102f989bd9d1f4c803ddd5e96dc49a9279b11
-
SSDEEP
6144:/V7cc4/YMrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93G4:Nnr/Ng1/Nblt01PBExK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhcgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edenlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaicpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfdlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpafanf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfdcgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madbll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfkjemd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjodiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmcgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njcmeqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Milcphgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohoiaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjglppd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfggccdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaegha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjglpncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlacdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlknocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degage32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gioigf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilianckh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgjce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdicfbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbincq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbdif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqolikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmghfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlcmhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koafcppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgnie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfjbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpecdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqfbbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpckbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgcqhagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdmdlaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkheal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcmkamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcmkamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caofmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbchfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcqbdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bijakkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbchfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifqbjpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnbbpkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghcckld.exe -
Executes dropped EXE 64 IoCs
pid Process 2176 Necandjo.exe 2852 Opoocb32.exe 2440 Ojhdmgkl.exe 2812 Ogldfl32.exe 2804 Ognakk32.exe 2696 Ogpnakfp.exe 1972 Pkbcjn32.exe 2728 Peandcih.exe 1232 Qahnid32.exe 2692 Amalcd32.exe 2948 Aihmhe32.exe 1956 Abcngkmp.exe 2272 Bfjmkn32.exe 2400 Bkheal32.exe 1860 Bpgjob32.exe 1404 Cbhcankf.exe 1120 Condfo32.exe 692 Cemfnh32.exe 1624 Dhnoocab.exe 2296 Dpicceon.exe 1264 Dhiacg32.exe 2468 Dbaflm32.exe 1536 Ekjjebed.exe 1544 Edbonh32.exe 3068 Ehbdif32.exe 2212 Ekcmkamj.exe 2740 Fpjlpclc.exe 2800 Fhgnie32.exe 2952 Gboolneo.exe 2832 Gjjcqpbj.exe 952 Gfadeaho.exe 2052 Gjomlp32.exe 2700 Gdgadeee.exe 2924 Hpnbjfjj.exe 1912 Hiffbl32.exe 2016 Hfjglppd.exe 2196 Hoflpbmo.exe 2152 Hhnpih32.exe 2248 Hinlck32.exe 1636 Hbfalpab.exe 2108 Ihcidgpj.exe 2308 Iaknmm32.exe 2604 Inbobn32.exe 1092 Igjckcbo.exe 2332 Ipbgci32.exe 368 Infhmmhi.exe 1840 Iccqedfa.exe 2328 Iniebmfg.exe 2664 Jgaikb32.exe 2732 Jomnpdjb.exe 2028 Jjbbmmih.exe 2040 Jficbn32.exe 848 Jkfkjemd.exe 1400 Jfkphnmj.exe 2992 Jnfdlpje.exe 2208 Kjmeaa32.exe 2532 Kdcinjpo.exe 2892 Kjpafanf.exe 2264 Kdefdjnl.exe 2284 Koogdg32.exe 1656 Kigkmmql.exe 1532 Kbppfb32.exe 2088 Kiihcmoi.exe 2900 Lfmhla32.exe -
Loads dropped DLL 64 IoCs
pid Process 2568 ee3be3cd22a046a8e1d0ee03e7fd8810N.exe 2568 ee3be3cd22a046a8e1d0ee03e7fd8810N.exe 2176 Necandjo.exe 2176 Necandjo.exe 2852 Opoocb32.exe 2852 Opoocb32.exe 2440 Ojhdmgkl.exe 2440 Ojhdmgkl.exe 2812 Ogldfl32.exe 2812 Ogldfl32.exe 2804 Ognakk32.exe 2804 Ognakk32.exe 2696 Ogpnakfp.exe 2696 Ogpnakfp.exe 1972 Pkbcjn32.exe 1972 Pkbcjn32.exe 2728 Peandcih.exe 2728 Peandcih.exe 1232 Qahnid32.exe 1232 Qahnid32.exe 2692 Amalcd32.exe 2692 Amalcd32.exe 2948 Aihmhe32.exe 2948 Aihmhe32.exe 1956 Abcngkmp.exe 1956 Abcngkmp.exe 2272 Bfjmkn32.exe 2272 Bfjmkn32.exe 2400 Bkheal32.exe 2400 Bkheal32.exe 1860 Bpgjob32.exe 1860 Bpgjob32.exe 1404 Cbhcankf.exe 1404 Cbhcankf.exe 1120 Condfo32.exe 1120 Condfo32.exe 692 Cemfnh32.exe 692 Cemfnh32.exe 1624 Dhnoocab.exe 1624 Dhnoocab.exe 2296 Dpicceon.exe 2296 Dpicceon.exe 1264 Dhiacg32.exe 1264 Dhiacg32.exe 2468 Dbaflm32.exe 2468 Dbaflm32.exe 1536 Ekjjebed.exe 1536 Ekjjebed.exe 1544 Edbonh32.exe 1544 Edbonh32.exe 1708 Enomam32.exe 1708 Enomam32.exe 2212 Ekcmkamj.exe 2212 Ekcmkamj.exe 2740 Fpjlpclc.exe 2740 Fpjlpclc.exe 2800 Fhgnie32.exe 2800 Fhgnie32.exe 2952 Gboolneo.exe 2952 Gboolneo.exe 2832 Gjjcqpbj.exe 2832 Gjjcqpbj.exe 952 Gfadeaho.exe 952 Gfadeaho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pjnfbh32.dll Mmlfcn32.exe File created C:\Windows\SysWOW64\Chjdhk32.dll Fehjcc32.exe File created C:\Windows\SysWOW64\Ffbjpfmg.exe Fcaankpf.exe File opened for modification C:\Windows\SysWOW64\Mdjnge32.exe Lgfmmaem.exe File created C:\Windows\SysWOW64\Amalcd32.exe Qahnid32.exe File created C:\Windows\SysWOW64\Lfanep32.exe Lnejqmie.exe File created C:\Windows\SysWOW64\Chldbl32.exe Cboljemb.exe File created C:\Windows\SysWOW64\Mkmlbc32.exe Mjkpjkni.exe File opened for modification C:\Windows\SysWOW64\Ppacfg32.exe Pgfbhb32.exe File created C:\Windows\SysWOW64\Cmappn32.exe Cfggccdp.exe File created C:\Windows\SysWOW64\Lcjodiep.exe Llojpghe.exe File created C:\Windows\SysWOW64\Phqbcjkp.dll Eddeia32.exe File created C:\Windows\SysWOW64\Cmodfa32.dll Mfmekd32.exe File created C:\Windows\SysWOW64\Dmmboc32.dll Qjoheb32.exe File opened for modification C:\Windows\SysWOW64\Ckjqog32.exe Chldbl32.exe File opened for modification C:\Windows\SysWOW64\Enpoje32.exe Ehbgbngm.exe File opened for modification C:\Windows\SysWOW64\Kjmeaa32.exe Jnfdlpje.exe File opened for modification C:\Windows\SysWOW64\Lfmhla32.exe Kiihcmoi.exe File opened for modification C:\Windows\SysWOW64\Nbmhfdnh.exe Nlcpjj32.exe File created C:\Windows\SysWOW64\Klekpmeo.dll Japfphle.exe File opened for modification C:\Windows\SysWOW64\Agmehd32.exe Akfdcckn.exe File opened for modification C:\Windows\SysWOW64\Ephkak32.exe Egpfheoa.exe File created C:\Windows\SysWOW64\Bajqcqli.exe Bjphff32.exe File created C:\Windows\SysWOW64\Jompim32.exe Jphcgq32.exe File created C:\Windows\SysWOW64\Cnlcoage.exe Ccfoah32.exe File created C:\Windows\SysWOW64\Dmkdanef.dll Dbaflm32.exe File created C:\Windows\SysWOW64\Qakagnfq.dll Ejqmahdn.exe File created C:\Windows\SysWOW64\Piaiko32.exe Poldnf32.exe File created C:\Windows\SysWOW64\Opoocb32.exe Necandjo.exe File created C:\Windows\SysWOW64\Goepdd32.dll Pkbcjn32.exe File created C:\Windows\SysWOW64\Jgbfehfd.dll Infhmmhi.exe File opened for modification C:\Windows\SysWOW64\Nogodcli.exe Nmfblk32.exe File created C:\Windows\SysWOW64\Nboohcij.dll Ilohnopg.exe File opened for modification C:\Windows\SysWOW64\Japfphle.exe Jlcmhann.exe File created C:\Windows\SysWOW64\Bihdfkoe.exe Bkdclgpl.exe File opened for modification C:\Windows\SysWOW64\Kdefdjnl.exe Kjpafanf.exe File opened for modification C:\Windows\SysWOW64\Qohkdkdn.exe Pjlbld32.exe File created C:\Windows\SysWOW64\Aaegha32.exe Ajkokgia.exe File created C:\Windows\SysWOW64\Menfkp32.dll Bijobb32.exe File created C:\Windows\SysWOW64\Jahflj32.exe Jhpbcdqm.exe File created C:\Windows\SysWOW64\Lcgldc32.exe Lmmcgilj.exe File created C:\Windows\SysWOW64\Nmfblk32.exe Ndnncf32.exe File created C:\Windows\SysWOW64\Chigmlml.exe Capopb32.exe File created C:\Windows\SysWOW64\Cpbfggdo.dll Mjkpjkni.exe File created C:\Windows\SysWOW64\Jficbn32.exe Jjbbmmih.exe File created C:\Windows\SysWOW64\Ehkgnpbe.exe Dnecag32.exe File created C:\Windows\SysWOW64\Klehma32.dll Hejcggee.exe File created C:\Windows\SysWOW64\Ggcmnh32.dll Jahflj32.exe File opened for modification C:\Windows\SysWOW64\Ageedflj.exe Qmpafnld.exe File opened for modification C:\Windows\SysWOW64\Cajokmfi.exe Cnlcoage.exe File opened for modification C:\Windows\SysWOW64\Pdnfalea.exe Pehiqp32.exe File created C:\Windows\SysWOW64\Bngmma32.dll Pockoeeg.exe File created C:\Windows\SysWOW64\Eiipfbgj.exe Doclijgd.exe File created C:\Windows\SysWOW64\Gghcjdmg.dll Ekjjebed.exe File opened for modification C:\Windows\SysWOW64\Hfjglppd.exe Hiffbl32.exe File opened for modification C:\Windows\SysWOW64\Kdcinjpo.exe Kjmeaa32.exe File created C:\Windows\SysWOW64\Gcogfg32.dll Kjmeaa32.exe File created C:\Windows\SysWOW64\Kmpcmb32.dll Mbkladpj.exe File created C:\Windows\SysWOW64\Klnkgjif.dll Bjphff32.exe File created C:\Windows\SysWOW64\Capopb32.exe Clcghk32.exe File created C:\Windows\SysWOW64\Bhgibh32.dll Agmehd32.exe File created C:\Windows\SysWOW64\Phclhp32.dll Dbgknc32.exe File created C:\Windows\SysWOW64\Ebnbdank.dll Lgaaiian.exe File opened for modification C:\Windows\SysWOW64\Mppiod32.exe Lifqbjpk.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaegha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbphfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoheb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmhla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklicjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmnhojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncmknkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlgdaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlbpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgleep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogodcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnklol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbbpkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgaaiian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caligc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbchfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfdcckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbdif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jompim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeofcpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enomam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gioigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnoempk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kogjib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiebej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihdfkoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laifbnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbbndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbjpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qahnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjglppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coidpiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjglpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncqlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olcoaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohoiaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkhfkco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnlqgfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidledja.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ee3be3cd22a046a8e1d0ee03e7fd8810N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlcmhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfillpcn.dll" Cmnqae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmabcmed.dll" Eained32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Infpbgeb.dll" ee3be3cd22a046a8e1d0ee03e7fd8810N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlomfh32.dll" Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofdia32.dll" Lkbphfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdanngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhodgebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdecniol.dll" Meeqkijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finqaibj.dll" Hinlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkddne32.dll" Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opbnbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppkahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idofmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmaaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnecag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gongkn32.dll" Klinmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chigmlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlahmcbg.dll" Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjcegko.dll" Eckopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndnncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeengo32.dll" Abcngkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chigmlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahoageo.dll" Mdjnge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhjmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmhcgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfflal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koafcppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbglgj32.dll" Oiebej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llojpghe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahdmanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phkohkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olcoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebllocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cboljemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggjnl32.dll" Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcffnnq.dll" Mppiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpkhjlc.dll" Igjckcbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomfiobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhpbcdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdbpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iljjabfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpajjmon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkbnjmhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklbpg32.dll" Fbchfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdbpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hljnbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjomlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaknmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khonbhch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggabhmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hidledja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggomknp.dll" Abkqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapcee32.dll" Beqogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijokcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2176 2568 ee3be3cd22a046a8e1d0ee03e7fd8810N.exe 436 PID 2568 wrote to memory of 2176 2568 ee3be3cd22a046a8e1d0ee03e7fd8810N.exe 436 PID 2568 wrote to memory of 2176 2568 ee3be3cd22a046a8e1d0ee03e7fd8810N.exe 436 PID 2568 wrote to memory of 2176 2568 ee3be3cd22a046a8e1d0ee03e7fd8810N.exe 436 PID 2176 wrote to memory of 2852 2176 Necandjo.exe 30 PID 2176 wrote to memory of 2852 2176 Necandjo.exe 30 PID 2176 wrote to memory of 2852 2176 Necandjo.exe 30 PID 2176 wrote to memory of 2852 2176 Necandjo.exe 30 PID 2852 wrote to memory of 2440 2852 Opoocb32.exe 31 PID 2852 wrote to memory of 2440 2852 Opoocb32.exe 31 PID 2852 wrote to memory of 2440 2852 Opoocb32.exe 31 PID 2852 wrote to memory of 2440 2852 Opoocb32.exe 31 PID 2440 wrote to memory of 2812 2440 Ojhdmgkl.exe 32 PID 2440 wrote to memory of 2812 2440 Ojhdmgkl.exe 32 PID 2440 wrote to memory of 2812 2440 Ojhdmgkl.exe 32 PID 2440 wrote to memory of 2812 2440 Ojhdmgkl.exe 32 PID 2812 wrote to memory of 2804 2812 Ogldfl32.exe 33 PID 2812 wrote to memory of 2804 2812 Ogldfl32.exe 33 PID 2812 wrote to memory of 2804 2812 Ogldfl32.exe 33 PID 2812 wrote to memory of 2804 2812 Ogldfl32.exe 33 PID 2804 wrote to memory of 2696 2804 Ognakk32.exe 34 PID 2804 wrote to memory of 2696 2804 Ognakk32.exe 34 PID 2804 wrote to memory of 2696 2804 Ognakk32.exe 34 PID 2804 wrote to memory of 2696 2804 Ognakk32.exe 34 PID 2696 wrote to memory of 1972 2696 Ogpnakfp.exe 35 PID 2696 wrote to memory of 1972 2696 Ogpnakfp.exe 35 PID 2696 wrote to memory of 1972 2696 Ogpnakfp.exe 35 PID 2696 wrote to memory of 1972 2696 Ogpnakfp.exe 35 PID 1972 wrote to memory of 2728 1972 Pkbcjn32.exe 36 PID 1972 wrote to memory of 2728 1972 Pkbcjn32.exe 36 PID 1972 wrote to memory of 2728 1972 Pkbcjn32.exe 36 PID 1972 wrote to memory of 2728 1972 Pkbcjn32.exe 36 PID 2728 wrote to memory of 1232 2728 Peandcih.exe 37 PID 2728 wrote to memory of 1232 2728 Peandcih.exe 37 PID 2728 wrote to memory of 1232 2728 Peandcih.exe 37 PID 2728 wrote to memory of 1232 2728 Peandcih.exe 37 PID 1232 wrote to memory of 2692 1232 Qahnid32.exe 38 PID 1232 wrote to memory of 2692 1232 Qahnid32.exe 38 PID 1232 wrote to memory of 2692 1232 Qahnid32.exe 38 PID 1232 wrote to memory of 2692 1232 Qahnid32.exe 38 PID 2692 wrote to memory of 2948 2692 Amalcd32.exe 430 PID 2692 wrote to memory of 2948 2692 Amalcd32.exe 430 PID 2692 wrote to memory of 2948 2692 Amalcd32.exe 430 PID 2692 wrote to memory of 2948 2692 Amalcd32.exe 430 PID 2948 wrote to memory of 1956 2948 Aihmhe32.exe 409 PID 2948 wrote to memory of 1956 2948 Aihmhe32.exe 409 PID 2948 wrote to memory of 1956 2948 Aihmhe32.exe 409 PID 2948 wrote to memory of 1956 2948 Aihmhe32.exe 409 PID 1956 wrote to memory of 2272 1956 Abcngkmp.exe 41 PID 1956 wrote to memory of 2272 1956 Abcngkmp.exe 41 PID 1956 wrote to memory of 2272 1956 Abcngkmp.exe 41 PID 1956 wrote to memory of 2272 1956 Abcngkmp.exe 41 PID 2272 wrote to memory of 2400 2272 Bfjmkn32.exe 42 PID 2272 wrote to memory of 2400 2272 Bfjmkn32.exe 42 PID 2272 wrote to memory of 2400 2272 Bfjmkn32.exe 42 PID 2272 wrote to memory of 2400 2272 Bfjmkn32.exe 42 PID 2400 wrote to memory of 1860 2400 Bkheal32.exe 43 PID 2400 wrote to memory of 1860 2400 Bkheal32.exe 43 PID 2400 wrote to memory of 1860 2400 Bkheal32.exe 43 PID 2400 wrote to memory of 1860 2400 Bkheal32.exe 43 PID 1860 wrote to memory of 1404 1860 Bpgjob32.exe 44 PID 1860 wrote to memory of 1404 1860 Bpgjob32.exe 44 PID 1860 wrote to memory of 1404 1860 Bpgjob32.exe 44 PID 1860 wrote to memory of 1404 1860 Bpgjob32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee3be3cd22a046a8e1d0ee03e7fd8810N.exe"C:\Users\Admin\AppData\Local\Temp\ee3be3cd22a046a8e1d0ee03e7fd8810N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Ehbdif32.exeC:\Windows\system32\Ehbdif32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Enomam32.exeC:\Windows\system32\Enomam32.exe27⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ekcmkamj.exeC:\Windows\system32\Ekcmkamj.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Gboolneo.exeC:\Windows\system32\Gboolneo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Gjjcqpbj.exeC:\Windows\system32\Gjjcqpbj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Gfadeaho.exeC:\Windows\system32\Gfadeaho.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Gjomlp32.exeC:\Windows\system32\Gjomlp32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Gdgadeee.exeC:\Windows\system32\Gdgadeee.exe35⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hpnbjfjj.exeC:\Windows\system32\Hpnbjfjj.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Hfjglppd.exeC:\Windows\system32\Hfjglppd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Hoflpbmo.exeC:\Windows\system32\Hoflpbmo.exe39⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Hhnpih32.exeC:\Windows\system32\Hhnpih32.exe40⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Hbfalpab.exeC:\Windows\system32\Hbfalpab.exe42⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ihcidgpj.exeC:\Windows\system32\Ihcidgpj.exe43⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Iaknmm32.exeC:\Windows\system32\Iaknmm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Inbobn32.exeC:\Windows\system32\Inbobn32.exe45⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Igjckcbo.exeC:\Windows\system32\Igjckcbo.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe47⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Infhmmhi.exeC:\Windows\system32\Infhmmhi.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Iccqedfa.exeC:\Windows\system32\Iccqedfa.exe49⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Iniebmfg.exeC:\Windows\system32\Iniebmfg.exe50⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Jgaikb32.exeC:\Windows\system32\Jgaikb32.exe51⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Jomnpdjb.exeC:\Windows\system32\Jomnpdjb.exe52⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Jjbbmmih.exeC:\Windows\system32\Jjbbmmih.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Jficbn32.exeC:\Windows\system32\Jficbn32.exe54⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Jkfkjemd.exeC:\Windows\system32\Jkfkjemd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Jfkphnmj.exeC:\Windows\system32\Jfkphnmj.exe56⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Jnfdlpje.exeC:\Windows\system32\Jnfdlpje.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Kjmeaa32.exeC:\Windows\system32\Kjmeaa32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Kdcinjpo.exeC:\Windows\system32\Kdcinjpo.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Kjpafanf.exeC:\Windows\system32\Kjpafanf.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Kdefdjnl.exeC:\Windows\system32\Kdefdjnl.exe61⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Koogdg32.exeC:\Windows\system32\Koogdg32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Kigkmmql.exeC:\Windows\system32\Kigkmmql.exe63⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Kbppfb32.exeC:\Windows\system32\Kbppfb32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Kiihcmoi.exeC:\Windows\system32\Kiihcmoi.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Lfmhla32.exeC:\Windows\system32\Lfmhla32.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Lkjadh32.exeC:\Windows\system32\Lkjadh32.exe67⤵PID:1260
-
C:\Windows\SysWOW64\Lgaaiian.exeC:\Windows\system32\Lgaaiian.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Laifbnho.exeC:\Windows\system32\Laifbnho.exe69⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Llojpghe.exeC:\Windows\system32\Llojpghe.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lcjodiep.exeC:\Windows\system32\Lcjodiep.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Mnbpgb32.exeC:\Windows\system32\Mnbpgb32.exe72⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Mfmekd32.exeC:\Windows\system32\Mfmekd32.exe73⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Mpeidjfo.exeC:\Windows\system32\Mpeidjfo.exe74⤵PID:1696
-
C:\Windows\SysWOW64\Mjknab32.exeC:\Windows\system32\Mjknab32.exe75⤵PID:572
-
C:\Windows\SysWOW64\Mphfji32.exeC:\Windows\system32\Mphfji32.exe76⤵PID:976
-
C:\Windows\SysWOW64\Mmlfcn32.exeC:\Windows\system32\Mmlfcn32.exe77⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Mlacdj32.exeC:\Windows\system32\Mlacdj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Mbkladpj.exeC:\Windows\system32\Mbkladpj.exe79⤵
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Nlcpjj32.exeC:\Windows\system32\Nlcpjj32.exe80⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Nbmhfdnh.exeC:\Windows\system32\Nbmhfdnh.exe81⤵PID:884
-
C:\Windows\SysWOW64\Nhjaok32.exeC:\Windows\system32\Nhjaok32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Nmgiga32.exeC:\Windows\system32\Nmgiga32.exe83⤵PID:2736
-
C:\Windows\SysWOW64\Ngonpgqg.exeC:\Windows\system32\Ngonpgqg.exe84⤵PID:396
-
C:\Windows\SysWOW64\Naebmppm.exeC:\Windows\system32\Naebmppm.exe85⤵PID:2908
-
C:\Windows\SysWOW64\Ngajeg32.exeC:\Windows\system32\Ngajeg32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Nkpckeek.exeC:\Windows\system32\Nkpckeek.exe87⤵PID:1728
-
C:\Windows\SysWOW64\Olclimif.exeC:\Windows\system32\Olclimif.exe88⤵PID:1732
-
C:\Windows\SysWOW64\Pcmadj32.exeC:\Windows\system32\Pcmadj32.exe89⤵PID:2412
-
C:\Windows\SysWOW64\Pcajpjoi.exeC:\Windows\system32\Pcajpjoi.exe90⤵PID:236
-
C:\Windows\SysWOW64\Pjlbld32.exeC:\Windows\system32\Pjlbld32.exe91⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Qohkdkdn.exeC:\Windows\system32\Qohkdkdn.exe92⤵PID:588
-
C:\Windows\SysWOW64\Qmlknocg.exeC:\Windows\system32\Qmlknocg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Qbidffao.exeC:\Windows\system32\Qbidffao.exe94⤵PID:2888
-
C:\Windows\SysWOW64\Qiclcp32.exeC:\Windows\system32\Qiclcp32.exe95⤵PID:2772
-
C:\Windows\SysWOW64\Abkqle32.exeC:\Windows\system32\Abkqle32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Aghidl32.exeC:\Windows\system32\Aghidl32.exe97⤵PID:2536
-
C:\Windows\SysWOW64\Aaqnmbdd.exeC:\Windows\system32\Aaqnmbdd.exe98⤵PID:1444
-
C:\Windows\SysWOW64\Akfbjkdj.exeC:\Windows\system32\Akfbjkdj.exe99⤵PID:808
-
C:\Windows\SysWOW64\Aeofcpjj.exeC:\Windows\system32\Aeofcpjj.exe100⤵
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Ajkokgia.exeC:\Windows\system32\Ajkokgia.exe101⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Aaegha32.exeC:\Windows\system32\Aaegha32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Ajnlqgfo.exeC:\Windows\system32\Ajnlqgfo.exe103⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Aahdmanl.exeC:\Windows\system32\Aahdmanl.exe104⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Bjphff32.exeC:\Windows\system32\Bjphff32.exe105⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Bajqcqli.exeC:\Windows\system32\Bajqcqli.exe106⤵PID:2320
-
C:\Windows\SysWOW64\Bfgikgjq.exeC:\Windows\system32\Bfgikgjq.exe107⤵PID:2624
-
C:\Windows\SysWOW64\Bmaaha32.exeC:\Windows\system32\Bmaaha32.exe108⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Bbnjphpe.exeC:\Windows\system32\Bbnjphpe.exe109⤵PID:1916
-
C:\Windows\SysWOW64\Bpajjmon.exeC:\Windows\system32\Bpajjmon.exe110⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Bijobb32.exeC:\Windows\system32\Bijobb32.exe111⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Beqogc32.exeC:\Windows\system32\Beqogc32.exe112⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Coidpiac.exeC:\Windows\system32\Coidpiac.exe113⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Chahin32.exeC:\Windows\system32\Chahin32.exe114⤵PID:2844
-
C:\Windows\SysWOW64\Cmnqae32.exeC:\Windows\system32\Cmnqae32.exe115⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Chdeonfa.exeC:\Windows\system32\Chdeonfa.exe116⤵PID:1996
-
C:\Windows\SysWOW64\Caligc32.exeC:\Windows\system32\Caligc32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Chfadndo.exeC:\Windows\system32\Chfadndo.exe118⤵PID:2632
-
C:\Windows\SysWOW64\Caofmc32.exeC:\Windows\system32\Caofmc32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Ckgkfi32.exeC:\Windows\system32\Ckgkfi32.exe120⤵PID:2136
-
C:\Windows\SysWOW64\Ccbojk32.exeC:\Windows\system32\Ccbojk32.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-