Analysis
-
max time kernel
39s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:16
Static task
static1
Behavioral task
behavioral1
Sample
9afcecc81543afa85e0ed9d7550e8c30N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9afcecc81543afa85e0ed9d7550e8c30N.exe
Resource
win10v2004-20240802-en
General
-
Target
9afcecc81543afa85e0ed9d7550e8c30N.exe
-
Size
80KB
-
MD5
9afcecc81543afa85e0ed9d7550e8c30
-
SHA1
cac6eda657dbf61b9dad241a06422c937bd0e1b8
-
SHA256
e360f0c587926682627788e9c069d89d8c4595c8a46a3dbc10791787f820e078
-
SHA512
d9f594abf2ca27a02251a16d0e760988e51dbe1ca9f9dc33c93809478a12b55d026e49213bbb33da6077370af7f77a91b5d54661c5a507bb86dd2cf6671052c1
-
SSDEEP
1536:4mJWez5/fnzGA2l6oMPcxLSZ2LfWS5DUHRbPa9b6i+sIk:VBLGJYoJWSeS5DSCopsIk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbgbngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfajgbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaaklmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kooimpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidledja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acncngpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beibln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnmmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnchjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaklei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoegc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poqniegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccadhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhplaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljjabfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbkdkdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageedflj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqnchgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjhcimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciggap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchgnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainhln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnmmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibnfpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbjpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpecad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgedkko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9afcecc81543afa85e0ed9d7550e8c30N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggohi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimdka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folknlae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klnpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paagkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgpckcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doclijgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmbilhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbegmqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepjgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkgdjqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipefba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdmjiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceenilo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponadfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhobbqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmigke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnhbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclfigao.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Nkqlodpk.exe 1696 Obhdpaqm.exe 2716 Oakdkn32.exe 2692 Odiagj32.exe 2656 Ohdmhhod.exe 2764 Omaepoml.exe 2632 Odknmi32.exe 1660 Ooabjbdn.exe 2176 Oaonfncb.exe 2908 Odnjbibf.exe 1036 Oijbkpqm.exe 2876 Oaaklmao.exe 3000 Odpghiqc.exe 1732 Okjoec32.exe 2760 Onhkan32.exe 2536 Olklmk32.exe 2436 Ocedieek.exe 3012 Ogqpjd32.exe 996 Oiolfo32.exe 1720 Plnhbk32.exe 916 Pgcmoc32.exe 2096 Piaiko32.exe 760 Plpehj32.exe 2204 Ponadfim.exe 840 Pjdeaohb.exe 2264 Poqniegj.exe 3064 Pekffp32.exe 2144 Pldobjec.exe 2672 Paagkq32.exe 572 Pgnpcg32.exe 2580 Pkjkdfjk.exe 1492 Padcqp32.exe 2996 Pqfdlmic.exe 2432 Qgqlig32.exe 2940 Qnkdeagl.exe 336 Qddmbkoi.exe 2892 Qgcingnm.exe 880 Qnmaka32.exe 1916 Aqkmgl32.exe 2456 Ageedflj.exe 2136 Afhfpc32.exe 2972 Aclfigao.exe 564 Amdkam32.exe 1360 Acncngpl.exe 472 Abacjd32.exe 1264 Ajhkka32.exe 1988 Ajhkka32.exe 2224 Amgggm32.exe 428 Akjhcimg.exe 3028 Acqpdgni.exe 2396 Ainhln32.exe 2752 Akldhi32.exe 2608 Aogqihcm.exe 952 Abfmecba.exe 2296 Afaieb32.exe 2512 Aipebm32.exe 2552 Bgbemjqh.exe 3036 Bojmogak.exe 2220 Bnmmjd32.exe 2544 Bakjfp32.exe 2392 Bkqnchgo.exe 1996 Bnojpdfb.exe 2248 Bbkfpb32.exe 980 Beibln32.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 9afcecc81543afa85e0ed9d7550e8c30N.exe 2260 9afcecc81543afa85e0ed9d7550e8c30N.exe 3040 Nkqlodpk.exe 3040 Nkqlodpk.exe 1696 Obhdpaqm.exe 1696 Obhdpaqm.exe 2716 Oakdkn32.exe 2716 Oakdkn32.exe 2692 Odiagj32.exe 2692 Odiagj32.exe 2656 Ohdmhhod.exe 2656 Ohdmhhod.exe 2764 Omaepoml.exe 2764 Omaepoml.exe 2632 Odknmi32.exe 2632 Odknmi32.exe 1660 Ooabjbdn.exe 1660 Ooabjbdn.exe 2176 Oaonfncb.exe 2176 Oaonfncb.exe 2908 Odnjbibf.exe 2908 Odnjbibf.exe 1036 Oijbkpqm.exe 1036 Oijbkpqm.exe 2876 Oaaklmao.exe 2876 Oaaklmao.exe 3000 Odpghiqc.exe 3000 Odpghiqc.exe 1732 Okjoec32.exe 1732 Okjoec32.exe 2760 Onhkan32.exe 2760 Onhkan32.exe 2536 Olklmk32.exe 2536 Olklmk32.exe 2436 Ocedieek.exe 2436 Ocedieek.exe 3012 Ogqpjd32.exe 3012 Ogqpjd32.exe 996 Oiolfo32.exe 996 Oiolfo32.exe 1720 Plnhbk32.exe 1720 Plnhbk32.exe 916 Pgcmoc32.exe 916 Pgcmoc32.exe 2096 Piaiko32.exe 2096 Piaiko32.exe 760 Plpehj32.exe 760 Plpehj32.exe 2204 Ponadfim.exe 2204 Ponadfim.exe 840 Pjdeaohb.exe 840 Pjdeaohb.exe 2264 Poqniegj.exe 2264 Poqniegj.exe 3064 Pekffp32.exe 3064 Pekffp32.exe 2144 Pldobjec.exe 2144 Pldobjec.exe 2672 Paagkq32.exe 2672 Paagkq32.exe 572 Pgnpcg32.exe 572 Pgnpcg32.exe 2580 Pkjkdfjk.exe 2580 Pkjkdfjk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehbgbngm.exe Eedjfchi.exe File created C:\Windows\SysWOW64\Bbeflgfa.dll Ggofcmih.exe File created C:\Windows\SysWOW64\Klekpmeo.dll Jdoblckh.exe File created C:\Windows\SysWOW64\Bamnjpji.dll Kpecad32.exe File created C:\Windows\SysWOW64\Lbbodk32.exe Lodbhp32.exe File opened for modification C:\Windows\SysWOW64\Ddjkhl32.exe Dlbcgo32.exe File created C:\Windows\SysWOW64\Piaiko32.exe Pgcmoc32.exe File created C:\Windows\SysWOW64\Gqjncg32.dll Dlbcgo32.exe File created C:\Windows\SysWOW64\Clnjal32.dll Fhpflblk.exe File opened for modification C:\Windows\SysWOW64\Jedlph32.exe Jgbkdkdk.exe File opened for modification C:\Windows\SysWOW64\Qnmaka32.exe Qgcingnm.exe File opened for modification C:\Windows\SysWOW64\Ehpjmoio.exe Edenlp32.exe File created C:\Windows\SysWOW64\Ggofcmih.exe Gccjbo32.exe File created C:\Windows\SysWOW64\Dmmboc32.dll Qnkdeagl.exe File created C:\Windows\SysWOW64\Depelp32.exe Doflofbf.exe File created C:\Windows\SysWOW64\Eojbii32.exe Ehpjmoio.exe File created C:\Windows\SysWOW64\Gcaqle32.dll Hljnbo32.exe File opened for modification C:\Windows\SysWOW64\Qgcingnm.exe Qddmbkoi.exe File created C:\Windows\SysWOW64\Bpgmhkfi.exe Bimdka32.exe File created C:\Windows\SysWOW64\Omahjkbe.dll Dkafofde.exe File created C:\Windows\SysWOW64\Ipmcno32.dll Gnfajgbg.exe File created C:\Windows\SysWOW64\Pgfiapam.dll Kfknpj32.exe File opened for modification C:\Windows\SysWOW64\Jdoblckh.exe Jelbqg32.exe File created C:\Windows\SysWOW64\Eoeiniea.exe Elgmbnfn.exe File created C:\Windows\SysWOW64\Hpodbo32.exe Haldgbkc.exe File created C:\Windows\SysWOW64\Qjehem32.dll Jkdanngk.exe File created C:\Windows\SysWOW64\Dghgdg32.exe Dcmkciap.exe File created C:\Windows\SysWOW64\Dgmnqggl.dll Egegnk32.exe File created C:\Windows\SysWOW64\Akldhi32.exe Ainhln32.exe File opened for modification C:\Windows\SysWOW64\Bgbemjqh.exe Aipebm32.exe File opened for modification C:\Windows\SysWOW64\Klcjfdqi.exe Kjdmjiae.exe File opened for modification C:\Windows\SysWOW64\Gkhenlcd.exe Gglimm32.exe File created C:\Windows\SysWOW64\Dlgaokci.dll Ipcjlaqd.exe File opened for modification C:\Windows\SysWOW64\Ooabjbdn.exe Odknmi32.exe File opened for modification C:\Windows\SysWOW64\Pjdeaohb.exe Ponadfim.exe File created C:\Windows\SysWOW64\Dpqlmm32.exe Dekgpdqc.exe File opened for modification C:\Windows\SysWOW64\Ihclmp32.exe Idhplaoe.exe File created C:\Windows\SysWOW64\Kdckgc32.exe Kjngjj32.exe File created C:\Windows\SysWOW64\Idabbpgj.exe Ipefba32.exe File opened for modification C:\Windows\SysWOW64\Plpehj32.exe Piaiko32.exe File created C:\Windows\SysWOW64\Fjakio32.dll Ehbgbngm.exe File created C:\Windows\SysWOW64\Hchcmnlj.exe Gplgmodq.exe File created C:\Windows\SysWOW64\Ifmbilhq.exe Ibafhmph.exe File created C:\Windows\SysWOW64\Bglhcihn.exe Babpgo32.exe File opened for modification C:\Windows\SysWOW64\Nkqlodpk.exe 9afcecc81543afa85e0ed9d7550e8c30N.exe File opened for modification C:\Windows\SysWOW64\Cablfb32.exe Ckhdihlp.exe File created C:\Windows\SysWOW64\Hhaogp32.exe Hebckd32.exe File created C:\Windows\SysWOW64\Ggqmnecg.dll Jngfei32.exe File created C:\Windows\SysWOW64\Kchhholk.exe Kdehmb32.exe File created C:\Windows\SysWOW64\Ebbkhp32.dll Dhqnnk32.exe File opened for modification C:\Windows\SysWOW64\Gmnkqcem.exe Gjpodhfi.exe File opened for modification C:\Windows\SysWOW64\Khlkba32.exe Kpecad32.exe File opened for modification C:\Windows\SysWOW64\Fnfekdpl.exe Ffomjgoj.exe File created C:\Windows\SysWOW64\Gceghn32.exe Gmlokdgp.exe File created C:\Windows\SysWOW64\Bfnaaj32.dll Ialpfeno.exe File created C:\Windows\SysWOW64\Klnpke32.exe Knlpphnd.exe File created C:\Windows\SysWOW64\Elelacdi.dll Cbmoeeod.exe File created C:\Windows\SysWOW64\Imgekb32.dll Bfohoe32.exe File created C:\Windows\SysWOW64\Efjplf32.dll Fqgnmo32.exe File opened for modification C:\Windows\SysWOW64\Jndjoi32.exe Jkfncn32.exe File opened for modification C:\Windows\SysWOW64\Abacjd32.exe Acncngpl.exe File opened for modification C:\Windows\SysWOW64\Ceioka32.exe Cbjbof32.exe File opened for modification C:\Windows\SysWOW64\Fjmfpe32.exe Ffbjpfmg.exe File created C:\Windows\SysWOW64\Bpfaodaa.dll Oakdkn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4132 4108 WerFault.exe 327 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afaieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcohih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakkkdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdpaqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllkhoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdmjiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieepad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgmbnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eained32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmkciap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnahoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldobjec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlaqba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkgdjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcjfdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclfigao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnomjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfcei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhgjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjonicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopqoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babpgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnchjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgahcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjngjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genmab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmpoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialpfeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jompim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchhholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqfdlmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfmecba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Depelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfoookfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceioka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibafhmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdphbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeagpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgmhkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpliac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpghiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plnhbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpodhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdanngk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdklo32.dll" Fffckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgiqkpb.dll" Goadik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponadfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimdka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhkka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cekkaanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbcdfpo.dll" Ifhinl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edenlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbbcn32.dll" Eojbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpifgqmh.dll" Oiolfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfohoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnoapba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfmlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addklpal.dll" Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clgpckcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqnchgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgajjfnp.dll" Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjbljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmbilhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifhnk32.dll" Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobmdbeg.dll" Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehechn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccadhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eedjfchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhenlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnogne32.dll" Hebckd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcodh32.dll" Bojmogak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhaqbbc.dll" Bnagecdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imenpfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmldbk32.dll" Ddjkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndoabjb.dll" Eadejede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgpckcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfmnp32.dll" Cdphbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocg32.dll" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apneip32.dll" Hllkhoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjjgpdc.dll" Kfgedkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lodbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcndqobj.dll" Jbhlilip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgqlig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmnoapba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hidledja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlqhjom.dll" Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmadag32.dll" Ehechn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbfbbjl.dll" Gkclcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbledno.dll" Qnmaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgppnnln.dll" Acqpdgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjpbeecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmmdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaeba32.dll" Fbhkdgbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ialpfeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhgcd32.dll" Depelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbeflgfa.dll" Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpaaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfncn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3040 2260 9afcecc81543afa85e0ed9d7550e8c30N.exe 29 PID 2260 wrote to memory of 3040 2260 9afcecc81543afa85e0ed9d7550e8c30N.exe 29 PID 2260 wrote to memory of 3040 2260 9afcecc81543afa85e0ed9d7550e8c30N.exe 29 PID 2260 wrote to memory of 3040 2260 9afcecc81543afa85e0ed9d7550e8c30N.exe 29 PID 3040 wrote to memory of 1696 3040 Nkqlodpk.exe 30 PID 3040 wrote to memory of 1696 3040 Nkqlodpk.exe 30 PID 3040 wrote to memory of 1696 3040 Nkqlodpk.exe 30 PID 3040 wrote to memory of 1696 3040 Nkqlodpk.exe 30 PID 1696 wrote to memory of 2716 1696 Obhdpaqm.exe 31 PID 1696 wrote to memory of 2716 1696 Obhdpaqm.exe 31 PID 1696 wrote to memory of 2716 1696 Obhdpaqm.exe 31 PID 1696 wrote to memory of 2716 1696 Obhdpaqm.exe 31 PID 2716 wrote to memory of 2692 2716 Oakdkn32.exe 32 PID 2716 wrote to memory of 2692 2716 Oakdkn32.exe 32 PID 2716 wrote to memory of 2692 2716 Oakdkn32.exe 32 PID 2716 wrote to memory of 2692 2716 Oakdkn32.exe 32 PID 2692 wrote to memory of 2656 2692 Odiagj32.exe 33 PID 2692 wrote to memory of 2656 2692 Odiagj32.exe 33 PID 2692 wrote to memory of 2656 2692 Odiagj32.exe 33 PID 2692 wrote to memory of 2656 2692 Odiagj32.exe 33 PID 2656 wrote to memory of 2764 2656 Ohdmhhod.exe 34 PID 2656 wrote to memory of 2764 2656 Ohdmhhod.exe 34 PID 2656 wrote to memory of 2764 2656 Ohdmhhod.exe 34 PID 2656 wrote to memory of 2764 2656 Ohdmhhod.exe 34 PID 2764 wrote to memory of 2632 2764 Omaepoml.exe 35 PID 2764 wrote to memory of 2632 2764 Omaepoml.exe 35 PID 2764 wrote to memory of 2632 2764 Omaepoml.exe 35 PID 2764 wrote to memory of 2632 2764 Omaepoml.exe 35 PID 2632 wrote to memory of 1660 2632 Odknmi32.exe 36 PID 2632 wrote to memory of 1660 2632 Odknmi32.exe 36 PID 2632 wrote to memory of 1660 2632 Odknmi32.exe 36 PID 2632 wrote to memory of 1660 2632 Odknmi32.exe 36 PID 1660 wrote to memory of 2176 1660 Ooabjbdn.exe 37 PID 1660 wrote to memory of 2176 1660 Ooabjbdn.exe 37 PID 1660 wrote to memory of 2176 1660 Ooabjbdn.exe 37 PID 1660 wrote to memory of 2176 1660 Ooabjbdn.exe 37 PID 2176 wrote to memory of 2908 2176 Oaonfncb.exe 38 PID 2176 wrote to memory of 2908 2176 Oaonfncb.exe 38 PID 2176 wrote to memory of 2908 2176 Oaonfncb.exe 38 PID 2176 wrote to memory of 2908 2176 Oaonfncb.exe 38 PID 2908 wrote to memory of 1036 2908 Odnjbibf.exe 39 PID 2908 wrote to memory of 1036 2908 Odnjbibf.exe 39 PID 2908 wrote to memory of 1036 2908 Odnjbibf.exe 39 PID 2908 wrote to memory of 1036 2908 Odnjbibf.exe 39 PID 1036 wrote to memory of 2876 1036 Oijbkpqm.exe 40 PID 1036 wrote to memory of 2876 1036 Oijbkpqm.exe 40 PID 1036 wrote to memory of 2876 1036 Oijbkpqm.exe 40 PID 1036 wrote to memory of 2876 1036 Oijbkpqm.exe 40 PID 2876 wrote to memory of 3000 2876 Oaaklmao.exe 41 PID 2876 wrote to memory of 3000 2876 Oaaklmao.exe 41 PID 2876 wrote to memory of 3000 2876 Oaaklmao.exe 41 PID 2876 wrote to memory of 3000 2876 Oaaklmao.exe 41 PID 3000 wrote to memory of 1732 3000 Odpghiqc.exe 42 PID 3000 wrote to memory of 1732 3000 Odpghiqc.exe 42 PID 3000 wrote to memory of 1732 3000 Odpghiqc.exe 42 PID 3000 wrote to memory of 1732 3000 Odpghiqc.exe 42 PID 1732 wrote to memory of 2760 1732 Okjoec32.exe 43 PID 1732 wrote to memory of 2760 1732 Okjoec32.exe 43 PID 1732 wrote to memory of 2760 1732 Okjoec32.exe 43 PID 1732 wrote to memory of 2760 1732 Okjoec32.exe 43 PID 2760 wrote to memory of 2536 2760 Onhkan32.exe 44 PID 2760 wrote to memory of 2536 2760 Onhkan32.exe 44 PID 2760 wrote to memory of 2536 2760 Onhkan32.exe 44 PID 2760 wrote to memory of 2536 2760 Onhkan32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9afcecc81543afa85e0ed9d7550e8c30N.exe"C:\Users\Admin\AppData\Local\Temp\9afcecc81543afa85e0ed9d7550e8c30N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Nkqlodpk.exeC:\Windows\system32\Nkqlodpk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Odpghiqc.exeC:\Windows\system32\Odpghiqc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Ogqpjd32.exeC:\Windows\system32\Ogqpjd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe40⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe42⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe44⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe46⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe47⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe49⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Acqpdgni.exeC:\Windows\system32\Acqpdgni.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Bnmmjd32.exeC:\Windows\system32\Bnmmjd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bakjfp32.exeC:\Windows\system32\Bakjfp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Bkqnchgo.exeC:\Windows\system32\Bkqnchgo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe63⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe64⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Bkckihel.exeC:\Windows\system32\Bkckihel.exe67⤵PID:2336
-
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe68⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe69⤵PID:2720
-
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe70⤵PID:2032
-
C:\Windows\SysWOW64\Bcnomjbg.exeC:\Windows\system32\Bcnomjbg.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe73⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Babpgo32.exeC:\Windows\system32\Babpgo32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe75⤵PID:2844
-
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Bimdka32.exeC:\Windows\system32\Bimdka32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Bpgmhkfi.exeC:\Windows\system32\Bpgmhkfi.exe78⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe79⤵PID:2120
-
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe80⤵PID:2084
-
C:\Windows\SysWOW64\Cmkmao32.exeC:\Windows\system32\Cmkmao32.exe81⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Cceenilo.exeC:\Windows\system32\Cceenilo.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe84⤵PID:2824
-
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe86⤵PID:2980
-
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe87⤵PID:532
-
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe88⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe90⤵PID:1288
-
C:\Windows\SysWOW64\Cpnchjpa.exeC:\Windows\system32\Cpnchjpa.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\Cbmoeeod.exeC:\Windows\system32\Cbmoeeod.exe92⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe95⤵PID:2528
-
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe96⤵
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe97⤵PID:1248
-
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Clgpckcb.exeC:\Windows\system32\Clgpckcb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe100⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Doflofbf.exeC:\Windows\system32\Doflofbf.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe104⤵PID:1324
-
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe105⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe106⤵PID:2968
-
C:\Windows\SysWOW64\Dpifln32.exeC:\Windows\system32\Dpifln32.exe107⤵PID:1088
-
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe108⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe109⤵PID:2056
-
C:\Windows\SysWOW64\Dmmffbek.exeC:\Windows\system32\Dmmffbek.exe110⤵PID:2572
-
C:\Windows\SysWOW64\Dplbbndo.exeC:\Windows\system32\Dplbbndo.exe111⤵PID:2620
-
C:\Windows\SysWOW64\Dbjonicb.exeC:\Windows\system32\Dbjonicb.exe112⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe113⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe115⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Dcmkciap.exeC:\Windows\system32\Dcmkciap.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe118⤵PID:2676
-
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe119⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe120⤵PID:2148
-
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe122⤵
- System Location Discovery: System Language Discovery
PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-