Analysis
-
max time kernel
37s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 11:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e895b8923d29c16029b9a0e9c975550N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
5e895b8923d29c16029b9a0e9c975550N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5e895b8923d29c16029b9a0e9c975550N.exe
-
Size
96KB
-
MD5
5e895b8923d29c16029b9a0e9c975550
-
SHA1
7c79cbfe534a3d6eafccf8e7704cda9c4eb3bb02
-
SHA256
6fae007587e87ef32606a12be0c385bdb82631d99a80f32a2b7587b1231abf0e
-
SHA512
1e888b5a3d38ac49dfe2a3efd3b208d543cb7e6f2cc4ef71696e7704949219e94b5ac4b5f2caee9e126fb7c531a2bb2c2d76db39328727e900646f2b446d9eb9
-
SSDEEP
1536:tOb3VUseXyHY3JQLBH/JiLSGcXcEW8H85zWpzBke9MbinV39+ChnSdFFn7Elz45Q:Ugy43mLBBieD3W8H85ajkAMbqV39ThSy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qilgneen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didbifoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epimjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppcjcfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqdeciho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikjcikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gafelnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhnmiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfocmhcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkfng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhdlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albijp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjcllq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcimhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcceqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnclbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopbeopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioibde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damjhhne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejleamon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogipbln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coghfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glimdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdikch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkhoedh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkhoedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abieajgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejleamon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiimnjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngllkbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblcaohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhhgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaohfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqkace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfkcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcnloam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfkcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpblof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbnpdnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemham32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjdecca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qechbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjjll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efqian32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qilgneen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjhlmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahkgeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflcglho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgggpded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fliaecjo.exe -
Executes dropped EXE 64 IoCs
pid Process 1688 Pjemgibi.exe 1760 Pmcjceam.exe 2004 Pdmbpo32.exe 1348 Pjgjmipf.exe 2612 Plhfda32.exe 2768 Qbboakna.exe 2996 Qilgneen.exe 2544 Qlkcjadb.exe 2564 Qbelfk32.exe 1460 Qechbf32.exe 2468 Qpilpo32.exe 2148 Aajhhgpg.exe 2856 Aiaqie32.exe 2588 Alpmep32.exe 2972 Abieajgi.exe 1236 Adkaib32.exe 2284 Albijp32.exe 3020 Akdjfmed.exe 2340 Aejncedk.exe 2272 Ahijpa32.exe 928 Agkjknji.exe 1436 Aaaohfjo.exe 2308 Ahkgeq32.exe 1580 Ajlcmigj.exe 832 Aacknfhl.exe 1336 Apflic32.exe 2212 Agpdfmfc.exe 1976 Bjopbh32.exe 1704 Bphhobmd.exe 2808 Bjamhh32.exe 2644 Bjamhh32.exe 2652 Bloidc32.exe 2788 Bonepo32.exe 2616 Bfhnmiii.exe 2512 Bjcimhab.exe 2572 Bopbeopi.exe 1744 Bclnfm32.exe 2540 Bfjjbi32.exe 2868 Boboknnf.exe 2600 Bflghh32.exe 2132 Bkiopock.exe 1816 Bngllkbn.exe 2264 Cfocmhcq.exe 584 Chmpicbd.exe 2168 Coghfn32.exe 2412 Cddqod32.exe 2400 Cgbmkp32.exe 856 Cjqigkfp.exe 2244 Cbhahigb.exe 2296 Cqkace32.exe 1312 Ccinpa32.exe 2228 Cjcflkdm.exe 1692 Cqmnie32.exe 2324 Cggffocg.exe 2720 Cfjfal32.exe 2664 Cmdonf32.exe 2676 Cqokoeig.exe 1340 Cgicko32.exe 868 Cflcglho.exe 2824 Cikocggb.exe 2896 Dmfkcf32.exe 2376 Dcpcppfh.exe 988 Dfoplkel.exe 2352 Dmhhie32.exe -
Loads dropped DLL 64 IoCs
pid Process 1908 5e895b8923d29c16029b9a0e9c975550N.exe 1908 5e895b8923d29c16029b9a0e9c975550N.exe 1688 Pjemgibi.exe 1688 Pjemgibi.exe 1760 Pmcjceam.exe 1760 Pmcjceam.exe 2004 Pdmbpo32.exe 2004 Pdmbpo32.exe 1348 Pjgjmipf.exe 1348 Pjgjmipf.exe 2612 Plhfda32.exe 2612 Plhfda32.exe 2768 Qbboakna.exe 2768 Qbboakna.exe 2996 Qilgneen.exe 2996 Qilgneen.exe 2544 Qlkcjadb.exe 2544 Qlkcjadb.exe 2564 Qbelfk32.exe 2564 Qbelfk32.exe 1460 Qechbf32.exe 1460 Qechbf32.exe 2468 Qpilpo32.exe 2468 Qpilpo32.exe 2148 Aajhhgpg.exe 2148 Aajhhgpg.exe 2856 Aiaqie32.exe 2856 Aiaqie32.exe 2588 Alpmep32.exe 2588 Alpmep32.exe 2972 Abieajgi.exe 2972 Abieajgi.exe 1236 Adkaib32.exe 1236 Adkaib32.exe 2284 Albijp32.exe 2284 Albijp32.exe 3020 Akdjfmed.exe 3020 Akdjfmed.exe 2340 Aejncedk.exe 2340 Aejncedk.exe 2272 Ahijpa32.exe 2272 Ahijpa32.exe 928 Agkjknji.exe 928 Agkjknji.exe 1436 Aaaohfjo.exe 1436 Aaaohfjo.exe 2308 Ahkgeq32.exe 2308 Ahkgeq32.exe 1580 Ajlcmigj.exe 1580 Ajlcmigj.exe 832 Aacknfhl.exe 832 Aacknfhl.exe 1336 Apflic32.exe 1336 Apflic32.exe 2212 Agpdfmfc.exe 2212 Agpdfmfc.exe 1976 Bjopbh32.exe 1976 Bjopbh32.exe 1704 Bphhobmd.exe 1704 Bphhobmd.exe 2808 Bjamhh32.exe 2808 Bjamhh32.exe 2644 Bjamhh32.exe 2644 Bjamhh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Agnmaafg.dll Ghpnihbo.exe File opened for modification C:\Windows\SysWOW64\Cikocggb.exe Cflcglho.exe File opened for modification C:\Windows\SysWOW64\Epkjoc32.exe Efcefndb.exe File created C:\Windows\SysWOW64\Mhpnpeei.dll Fejomjgg.exe File opened for modification C:\Windows\SysWOW64\Gkqjlpmd.exe Fhbnpdnq.exe File created C:\Windows\SysWOW64\Mkopop32.dll Glddig32.exe File created C:\Windows\SysWOW64\Hhjhpbic.dll Gcnleahm.exe File created C:\Windows\SysWOW64\Ojhjnlna.dll Gcceqa32.exe File opened for modification C:\Windows\SysWOW64\Hcpejd32.exe Hqbini32.exe File created C:\Windows\SysWOW64\Bnhbkl32.dll Pmcjceam.exe File created C:\Windows\SysWOW64\Qilgneen.exe Qbboakna.exe File created C:\Windows\SysWOW64\Bjamhh32.exe Bjamhh32.exe File created C:\Windows\SysWOW64\Dnqkammo.exe Didbifoh.exe File created C:\Windows\SysWOW64\Jdojjh32.dll Jikjcikm.exe File opened for modification C:\Windows\SysWOW64\Eafmng32.exe Eioemj32.exe File created C:\Windows\SysWOW64\Geoegm32.exe Goemjbna.exe File created C:\Windows\SysWOW64\Qcinmkpj.dll Ifjqbnnl.exe File opened for modification C:\Windows\SysWOW64\Dbjjll32.exe Dnnnlmob.exe File created C:\Windows\SysWOW64\Epkjoc32.exe Efcefndb.exe File created C:\Windows\SysWOW64\Fdbidfjm.exe Feoihi32.exe File created C:\Windows\SysWOW64\Albijp32.exe Adkaib32.exe File created C:\Windows\SysWOW64\Flapqp32.dll Agkjknji.exe File created C:\Windows\SysWOW64\Dmhhie32.exe Dfoplkel.exe File created C:\Windows\SysWOW64\Abamkn32.dll Dnlafm32.exe File opened for modification C:\Windows\SysWOW64\Fpngec32.exe Elbkddpg.exe File created C:\Windows\SysWOW64\Cbmehn32.dll Fliaecjo.exe File created C:\Windows\SysWOW64\Jpnhoh32.exe Jakhckdb.exe File created C:\Windows\SysWOW64\Dannhd32.dll Ahkgeq32.exe File opened for modification C:\Windows\SysWOW64\Bopbeopi.exe Bjcimhab.exe File opened for modification C:\Windows\SysWOW64\Jgccjenb.exe Jedgnjon.exe File created C:\Windows\SysWOW64\Lqgcofdl.dll Cfocmhcq.exe File created C:\Windows\SysWOW64\Aogjlf32.dll Emfhbi32.exe File opened for modification C:\Windows\SysWOW64\Gcceqa32.exe Gogipbln.exe File created C:\Windows\SysWOW64\Ifhdlo32.exe Icjhpc32.exe File opened for modification C:\Windows\SysWOW64\Plhfda32.exe Pjgjmipf.exe File created C:\Windows\SysWOW64\Nmohbdgo.dll Aajhhgpg.exe File created C:\Windows\SysWOW64\Nbipmk32.dll Bfjjbi32.exe File opened for modification C:\Windows\SysWOW64\Ejgkfn32.exe Ehiojb32.exe File created C:\Windows\SysWOW64\Knfail32.dll Eempcfbi.exe File created C:\Windows\SysWOW64\Inhfmmfi.exe Hfanlpff.exe File opened for modification C:\Windows\SysWOW64\Ioibde32.exe Imkfhj32.exe File opened for modification C:\Windows\SysWOW64\Jgqfefpe.exe Jcekdg32.exe File opened for modification C:\Windows\SysWOW64\Jaiknk32.exe Jnjoap32.exe File created C:\Windows\SysWOW64\Pjgjmipf.exe Pdmbpo32.exe File created C:\Windows\SysWOW64\Jaiknk32.exe Jnjoap32.exe File created C:\Windows\SysWOW64\Blmdnmbn.dll Jedgnjon.exe File created C:\Windows\SysWOW64\Ifcdnajj.dll Aaaohfjo.exe File created C:\Windows\SysWOW64\Iqcfeo32.dll Eidohiac.exe File opened for modification C:\Windows\SysWOW64\Jppedg32.exe Jandikbp.exe File created C:\Windows\SysWOW64\Cgicko32.exe Cqokoeig.exe File opened for modification C:\Windows\SysWOW64\Dmkeoekf.exe Dfambk32.exe File created C:\Windows\SysWOW64\Ebnfdkdf.dll Fknnfp32.exe File created C:\Windows\SysWOW64\Jeahpajf.dll Icjhpc32.exe File opened for modification C:\Windows\SysWOW64\Jikjcikm.exe Jepnck32.exe File created C:\Windows\SysWOW64\Bqcpdfhi.dll Daognhlc.exe File created C:\Windows\SysWOW64\Ioibde32.exe Imkfhj32.exe File created C:\Windows\SysWOW64\Ljnhbijg.dll Bjamhh32.exe File opened for modification C:\Windows\SysWOW64\Cmdonf32.exe Cfjfal32.exe File opened for modification C:\Windows\SysWOW64\Hgggpded.exe Hdikch32.exe File created C:\Windows\SysWOW64\Ikfngd32.dll 5e895b8923d29c16029b9a0e9c975550N.exe File opened for modification C:\Windows\SysWOW64\Cqmnie32.exe Cjcflkdm.exe File created C:\Windows\SysWOW64\Eempcfbi.exe Emfhbi32.exe File created C:\Windows\SysWOW64\Hnbigjmn.dll Foccfp32.exe File created C:\Windows\SysWOW64\Fhkhoedh.exe Femlbjee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3312 3276 WerFault.exe 236 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohblcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojfeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpnihbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliaecjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epimjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albijp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfigmhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgjmipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gickgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcllq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhahigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daognhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjjll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikocggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Femlbjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fafimjhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahijpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgicko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijofbnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggffocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddeifgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcnloam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apflic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bngllkbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqkace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcekdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlcmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgggpded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnapln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgijelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcjceam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkjoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogipbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcceqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioqhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepnck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcflkdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjkfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcbeagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boboknnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjfal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolojejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpdfmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efqian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopbeopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnclbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqllnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inciaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjoap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakhckdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecppoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbelfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glimdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhfda32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cikocggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eioemj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcefndb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnbmk32.dll" Gdiode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjhpbic.dll" Gcnleahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qechbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejncedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejncedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngajf32.dll" Goemjbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnclbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidhfo32.dll" Dfambk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fahfcjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaaohfjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpgdealm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiaiih32.dll" Gpblof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infefqkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlfkaqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpnp32.dll" Jpnhoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpilpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpdfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolenepf.dll" Bclnfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahpajf.dll" Icjhpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhdlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibaago32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 5e895b8923d29c16029b9a0e9c975550N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahkgeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplcca32.dll" Gogipbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmcjceam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodpgnop.dll" Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eafmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjapfamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmlgpeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlkcjadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedibbah.dll" Ebjfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpngec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdpadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akdjfmed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajlcmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejjhlmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmaadgcp.dll" Gafelnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpomgn32.dll" Hnclbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbangqng.dll" Iolojejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgbofine.dll" Alpmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpchl32.dll" Bngllkbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfkcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqcpdfhi.dll" Daognhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jikjcikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkkah32.dll" Apflic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjcflkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnqkammo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogjlf32.dll" Emfhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacjmhkh.dll" Fpngec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhobdf32.dll" Jaiknk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnadjb32.dll" Coghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agaigjmi.dll" Ecncjckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqkecbl.dll" Fogmaoib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1688 1908 5e895b8923d29c16029b9a0e9c975550N.exe 29 PID 1908 wrote to memory of 1688 1908 5e895b8923d29c16029b9a0e9c975550N.exe 29 PID 1908 wrote to memory of 1688 1908 5e895b8923d29c16029b9a0e9c975550N.exe 29 PID 1908 wrote to memory of 1688 1908 5e895b8923d29c16029b9a0e9c975550N.exe 29 PID 1688 wrote to memory of 1760 1688 Pjemgibi.exe 30 PID 1688 wrote to memory of 1760 1688 Pjemgibi.exe 30 PID 1688 wrote to memory of 1760 1688 Pjemgibi.exe 30 PID 1688 wrote to memory of 1760 1688 Pjemgibi.exe 30 PID 1760 wrote to memory of 2004 1760 Pmcjceam.exe 31 PID 1760 wrote to memory of 2004 1760 Pmcjceam.exe 31 PID 1760 wrote to memory of 2004 1760 Pmcjceam.exe 31 PID 1760 wrote to memory of 2004 1760 Pmcjceam.exe 31 PID 2004 wrote to memory of 1348 2004 Pdmbpo32.exe 32 PID 2004 wrote to memory of 1348 2004 Pdmbpo32.exe 32 PID 2004 wrote to memory of 1348 2004 Pdmbpo32.exe 32 PID 2004 wrote to memory of 1348 2004 Pdmbpo32.exe 32 PID 1348 wrote to memory of 2612 1348 Pjgjmipf.exe 33 PID 1348 wrote to memory of 2612 1348 Pjgjmipf.exe 33 PID 1348 wrote to memory of 2612 1348 Pjgjmipf.exe 33 PID 1348 wrote to memory of 2612 1348 Pjgjmipf.exe 33 PID 2612 wrote to memory of 2768 2612 Plhfda32.exe 34 PID 2612 wrote to memory of 2768 2612 Plhfda32.exe 34 PID 2612 wrote to memory of 2768 2612 Plhfda32.exe 34 PID 2612 wrote to memory of 2768 2612 Plhfda32.exe 34 PID 2768 wrote to memory of 2996 2768 Qbboakna.exe 35 PID 2768 wrote to memory of 2996 2768 Qbboakna.exe 35 PID 2768 wrote to memory of 2996 2768 Qbboakna.exe 35 PID 2768 wrote to memory of 2996 2768 Qbboakna.exe 35 PID 2996 wrote to memory of 2544 2996 Qilgneen.exe 36 PID 2996 wrote to memory of 2544 2996 Qilgneen.exe 36 PID 2996 wrote to memory of 2544 2996 Qilgneen.exe 36 PID 2996 wrote to memory of 2544 2996 Qilgneen.exe 36 PID 2544 wrote to memory of 2564 2544 Qlkcjadb.exe 37 PID 2544 wrote to memory of 2564 2544 Qlkcjadb.exe 37 PID 2544 wrote to memory of 2564 2544 Qlkcjadb.exe 37 PID 2544 wrote to memory of 2564 2544 Qlkcjadb.exe 37 PID 2564 wrote to memory of 1460 2564 Qbelfk32.exe 38 PID 2564 wrote to memory of 1460 2564 Qbelfk32.exe 38 PID 2564 wrote to memory of 1460 2564 Qbelfk32.exe 38 PID 2564 wrote to memory of 1460 2564 Qbelfk32.exe 38 PID 1460 wrote to memory of 2468 1460 Qechbf32.exe 39 PID 1460 wrote to memory of 2468 1460 Qechbf32.exe 39 PID 1460 wrote to memory of 2468 1460 Qechbf32.exe 39 PID 1460 wrote to memory of 2468 1460 Qechbf32.exe 39 PID 2468 wrote to memory of 2148 2468 Qpilpo32.exe 40 PID 2468 wrote to memory of 2148 2468 Qpilpo32.exe 40 PID 2468 wrote to memory of 2148 2468 Qpilpo32.exe 40 PID 2468 wrote to memory of 2148 2468 Qpilpo32.exe 40 PID 2148 wrote to memory of 2856 2148 Aajhhgpg.exe 41 PID 2148 wrote to memory of 2856 2148 Aajhhgpg.exe 41 PID 2148 wrote to memory of 2856 2148 Aajhhgpg.exe 41 PID 2148 wrote to memory of 2856 2148 Aajhhgpg.exe 41 PID 2856 wrote to memory of 2588 2856 Aiaqie32.exe 42 PID 2856 wrote to memory of 2588 2856 Aiaqie32.exe 42 PID 2856 wrote to memory of 2588 2856 Aiaqie32.exe 42 PID 2856 wrote to memory of 2588 2856 Aiaqie32.exe 42 PID 2588 wrote to memory of 2972 2588 Alpmep32.exe 43 PID 2588 wrote to memory of 2972 2588 Alpmep32.exe 43 PID 2588 wrote to memory of 2972 2588 Alpmep32.exe 43 PID 2588 wrote to memory of 2972 2588 Alpmep32.exe 43 PID 2972 wrote to memory of 1236 2972 Abieajgi.exe 44 PID 2972 wrote to memory of 1236 2972 Abieajgi.exe 44 PID 2972 wrote to memory of 1236 2972 Abieajgi.exe 44 PID 2972 wrote to memory of 1236 2972 Abieajgi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e895b8923d29c16029b9a0e9c975550N.exe"C:\Users\Admin\AppData\Local\Temp\5e895b8923d29c16029b9a0e9c975550N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Pjemgibi.exeC:\Windows\system32\Pjemgibi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Pmcjceam.exeC:\Windows\system32\Pmcjceam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Pdmbpo32.exeC:\Windows\system32\Pdmbpo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Pjgjmipf.exeC:\Windows\system32\Pjgjmipf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Plhfda32.exeC:\Windows\system32\Plhfda32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Qbboakna.exeC:\Windows\system32\Qbboakna.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Qilgneen.exeC:\Windows\system32\Qilgneen.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Qlkcjadb.exeC:\Windows\system32\Qlkcjadb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Qbelfk32.exeC:\Windows\system32\Qbelfk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Qechbf32.exeC:\Windows\system32\Qechbf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Qpilpo32.exeC:\Windows\system32\Qpilpo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Aajhhgpg.exeC:\Windows\system32\Aajhhgpg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Aiaqie32.exeC:\Windows\system32\Aiaqie32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Alpmep32.exeC:\Windows\system32\Alpmep32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Abieajgi.exeC:\Windows\system32\Abieajgi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Adkaib32.exeC:\Windows\system32\Adkaib32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Albijp32.exeC:\Windows\system32\Albijp32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Akdjfmed.exeC:\Windows\system32\Akdjfmed.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Aejncedk.exeC:\Windows\system32\Aejncedk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Ahijpa32.exeC:\Windows\system32\Ahijpa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Agkjknji.exeC:\Windows\system32\Agkjknji.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Aaaohfjo.exeC:\Windows\system32\Aaaohfjo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Ahkgeq32.exeC:\Windows\system32\Ahkgeq32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ajlcmigj.exeC:\Windows\system32\Ajlcmigj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Aacknfhl.exeC:\Windows\system32\Aacknfhl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Apflic32.exeC:\Windows\system32\Apflic32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Agpdfmfc.exeC:\Windows\system32\Agpdfmfc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Bjopbh32.exeC:\Windows\system32\Bjopbh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Bphhobmd.exeC:\Windows\system32\Bphhobmd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Bjamhh32.exeC:\Windows\system32\Bjamhh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Bjamhh32.exeC:\Windows\system32\Bjamhh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Bloidc32.exeC:\Windows\system32\Bloidc32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Bonepo32.exeC:\Windows\system32\Bonepo32.exe34⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bfhnmiii.exeC:\Windows\system32\Bfhnmiii.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Bjcimhab.exeC:\Windows\system32\Bjcimhab.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Bopbeopi.exeC:\Windows\system32\Bopbeopi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Bclnfm32.exeC:\Windows\system32\Bclnfm32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Bfjjbi32.exeC:\Windows\system32\Bfjjbi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Boboknnf.exeC:\Windows\system32\Boboknnf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Bflghh32.exeC:\Windows\system32\Bflghh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bkiopock.exeC:\Windows\system32\Bkiopock.exe42⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bngllkbn.exeC:\Windows\system32\Bngllkbn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Cfocmhcq.exeC:\Windows\system32\Cfocmhcq.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Chmpicbd.exeC:\Windows\system32\Chmpicbd.exe45⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Coghfn32.exeC:\Windows\system32\Coghfn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Cddqod32.exeC:\Windows\system32\Cddqod32.exe47⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Cgbmkp32.exeC:\Windows\system32\Cgbmkp32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Cjqigkfp.exeC:\Windows\system32\Cjqigkfp.exe49⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Cbhahigb.exeC:\Windows\system32\Cbhahigb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Cqkace32.exeC:\Windows\system32\Cqkace32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ccinpa32.exeC:\Windows\system32\Ccinpa32.exe52⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Cjcflkdm.exeC:\Windows\system32\Cjcflkdm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Cqmnie32.exeC:\Windows\system32\Cqmnie32.exe54⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Cggffocg.exeC:\Windows\system32\Cggffocg.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Cfjfal32.exeC:\Windows\system32\Cfjfal32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Cmdonf32.exeC:\Windows\system32\Cmdonf32.exe57⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Cqokoeig.exeC:\Windows\system32\Cqokoeig.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Cgicko32.exeC:\Windows\system32\Cgicko32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Cflcglho.exeC:\Windows\system32\Cflcglho.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Cikocggb.exeC:\Windows\system32\Cikocggb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dmfkcf32.exeC:\Windows\system32\Dmfkcf32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Dcpcppfh.exeC:\Windows\system32\Dcpcppfh.exe63⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Dfoplkel.exeC:\Windows\system32\Dfoplkel.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Dmhhie32.exeC:\Windows\system32\Dmhhie32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Dpgdealm.exeC:\Windows\system32\Dpgdealm.exe66⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Dcbpfp32.exeC:\Windows\system32\Dcbpfp32.exe67⤵PID:1448
-
C:\Windows\SysWOW64\Dfambk32.exeC:\Windows\system32\Dfambk32.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Dmkeoekf.exeC:\Windows\system32\Dmkeoekf.exe69⤵PID:2108
-
C:\Windows\SysWOW64\Dknejb32.exeC:\Windows\system32\Dknejb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Dnlafm32.exeC:\Windows\system32\Dnlafm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Dfcigk32.exeC:\Windows\system32\Dfcigk32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Deficgha.exeC:\Windows\system32\Deficgha.exe73⤵PID:2736
-
C:\Windows\SysWOW64\Dlpbpa32.exeC:\Windows\system32\Dlpbpa32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Dnnnlmob.exeC:\Windows\system32\Dnnnlmob.exe75⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Dbjjll32.exeC:\Windows\system32\Dbjjll32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Damjhhne.exeC:\Windows\system32\Damjhhne.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Didbifoh.exeC:\Windows\system32\Didbifoh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Dnqkammo.exeC:\Windows\system32\Dnqkammo.exe79⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Daognhlc.exeC:\Windows\system32\Daognhlc.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Ecncjckf.exeC:\Windows\system32\Ecncjckf.exe81⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Ehiojb32.exeC:\Windows\system32\Ehiojb32.exe82⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Ejgkfn32.exeC:\Windows\system32\Ejgkfn32.exe83⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Emfhbi32.exeC:\Windows\system32\Emfhbi32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Eempcfbi.exeC:\Windows\system32\Eempcfbi.exe85⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Ecppoc32.exeC:\Windows\system32\Ecppoc32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Ejjhlmqa.exeC:\Windows\system32\Ejjhlmqa.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Emhdhipd.exeC:\Windows\system32\Emhdhipd.exe88⤵PID:1752
-
C:\Windows\SysWOW64\Eadpig32.exeC:\Windows\system32\Eadpig32.exe89⤵PID:2660
-
C:\Windows\SysWOW64\Edbmec32.exeC:\Windows\system32\Edbmec32.exe90⤵PID:2728
-
C:\Windows\SysWOW64\Efqian32.exeC:\Windows\system32\Efqian32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Ejleamon.exeC:\Windows\system32\Ejleamon.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Eioemj32.exeC:\Windows\system32\Eioemj32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Eafmng32.exeC:\Windows\system32\Eafmng32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Epimjd32.exeC:\Windows\system32\Epimjd32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Efcefndb.exeC:\Windows\system32\Efcefndb.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Epkjoc32.exeC:\Windows\system32\Epkjoc32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Ebjfko32.exeC:\Windows\system32\Ebjfko32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Efeblnbp.exeC:\Windows\system32\Efeblnbp.exe99⤵PID:1620
-
C:\Windows\SysWOW64\Eidohiac.exeC:\Windows\system32\Eidohiac.exe100⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Elbkddpg.exeC:\Windows\system32\Elbkddpg.exe101⤵
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Fpngec32.exeC:\Windows\system32\Fpngec32.exe102⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Fblcaohd.exeC:\Windows\system32\Fblcaohd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Fejomjgg.exeC:\Windows\system32\Fejomjgg.exe104⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Fhikiefk.exeC:\Windows\system32\Fhikiefk.exe105⤵PID:2904
-
C:\Windows\SysWOW64\Fppcjcfn.exeC:\Windows\system32\Fppcjcfn.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Foccfp32.exeC:\Windows\system32\Foccfp32.exe107⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Femlbjee.exeC:\Windows\system32\Femlbjee.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Fhkhoedh.exeC:\Windows\system32\Fhkhoedh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Flgdod32.exeC:\Windows\system32\Flgdod32.exe110⤵PID:676
-
C:\Windows\SysWOW64\Fbqllnco.exeC:\Windows\system32\Fbqllnco.exe111⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Feoihi32.exeC:\Windows\system32\Feoihi32.exe112⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Fdbidfjm.exeC:\Windows\system32\Fdbidfjm.exe113⤵PID:1680
-
C:\Windows\SysWOW64\Fliaecjo.exeC:\Windows\system32\Fliaecjo.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Fklaqp32.exeC:\Windows\system32\Fklaqp32.exe115⤵PID:2772
-
C:\Windows\SysWOW64\Fogmaoib.exeC:\Windows\system32\Fogmaoib.exe116⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Fafimjhf.exeC:\Windows\system32\Fafimjhf.exe117⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Fddeifgj.exeC:\Windows\system32\Fddeifgj.exe118⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Fgcbeagn.exeC:\Windows\system32\Fgcbeagn.exe119⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Fknnfp32.exeC:\Windows\system32\Fknnfp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Fahfcjfd.exeC:\Windows\system32\Fahfcjfd.exe121⤵
- Modifies registry class
PID:912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-