Analysis
-
max time kernel
57s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81a9986ef164e39f82da2e718a0eb740N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
81a9986ef164e39f82da2e718a0eb740N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
81a9986ef164e39f82da2e718a0eb740N.exe
-
Size
96KB
-
MD5
81a9986ef164e39f82da2e718a0eb740
-
SHA1
b4084f7002aeeeddad81e3ba4d4c310e8df5c515
-
SHA256
163800235c4caef23edbc1ed2ca598fd6f47f2ac3a4042701843d7511778cefb
-
SHA512
b4d3c8edba7911ba8bb01d8b75c4835e12834d3239e5ea394a141346277936a567650be3662a2ef09c6a41555e570aa00bef8e3105d2f42c0f9932e198de9fb5
-
SSDEEP
1536:a5DfhTGQRYizg9Qdfhhv9N7HOgq/BOmECMy0QiLiizHNQNdq:6D5rNc9sP9RTq5OmECMyELiAHONdq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfemdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgmgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdefgimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ginefe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgqpjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjoaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahgejhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbagdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdqlkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlqemal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbknb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngoinfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blpibghg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfihd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcajn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdoec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icmlnmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbagdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlhbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfigdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhopcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkiiom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqgngk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdqfnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emqaaabg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geplpfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 81a9986ef164e39f82da2e718a0eb740N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdehgnqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmbiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbknb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmllgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihgadhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfcfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnenfjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekoljgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcohh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jekoljgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhmhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klapha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdehgnqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkdik32.exe -
Executes dropped EXE 64 IoCs
pid Process 2412 Mhopcl32.exe 2832 Mqjehngm.exe 2852 Mgfjjh32.exe 3004 Mflgkd32.exe 2608 Nbddfe32.exe 2924 Nhdjdk32.exe 2480 Nbljfdoh.exe 2988 Onbkle32.exe 2984 Omjeba32.exe 2996 Ofbikf32.exe 3048 Phhonn32.exe 2252 Pihlhagn.exe 2200 Pdffcn32.exe 1728 Qiekadkl.exe 524 Alfdcp32.exe 1040 Afqeaemk.exe 1532 Boncej32.exe 1796 Bkddjkej.exe 800 Bkgqpjch.exe 2080 Bmjjmbgc.exe 3032 Bmmgbbeq.exe 676 Bcgoolln.exe 1692 Cmapna32.exe 2824 Cgkanomj.exe 2812 Ckijdm32.exe 2620 Dahobdpe.exe 2952 Damhmc32.exe 2112 Dbcnpk32.exe 2248 Ebekej32.exe 1616 Eajhgg32.exe 1240 Emailhfb.exe 616 Emceag32.exe 2900 Ekgfkl32.exe 884 Fdpjcaij.exe 3044 Fkjbpkag.exe 3052 Fdbgia32.exe 2036 Fpihnbmk.exe 2148 Fefpfi32.exe 2400 Fpkdca32.exe 996 Fhfihd32.exe 592 Fhifmcfa.exe 484 Gnenfjdh.exe 2364 Gdpfbd32.exe 1688 Gacgli32.exe 992 Ggppdpif.exe 1512 Gnmdfi32.exe 1540 Gjcekj32.exe 1732 Hggeeo32.exe 2756 Hobjia32.exe 2820 Hjhofj32.exe 2744 Hmighemp.exe 2876 Hnjdpm32.exe 2724 Hnlqemal.exe 1292 Hibebeqb.exe 2888 Hjcajn32.exe 3008 Iclfccmq.exe 2956 Iekbmfdc.exe 2872 Incgfl32.exe 2708 Icponb32.exe 1072 Imidgh32.exe 2440 Icbldbgi.exe 2156 Iiodliep.exe 732 Iefeaj32.exe 1032 Jlpmndba.exe -
Loads dropped DLL 64 IoCs
pid Process 3012 81a9986ef164e39f82da2e718a0eb740N.exe 3012 81a9986ef164e39f82da2e718a0eb740N.exe 2412 Mhopcl32.exe 2412 Mhopcl32.exe 2832 Mqjehngm.exe 2832 Mqjehngm.exe 2852 Mgfjjh32.exe 2852 Mgfjjh32.exe 3004 Mflgkd32.exe 3004 Mflgkd32.exe 2608 Nbddfe32.exe 2608 Nbddfe32.exe 2924 Nhdjdk32.exe 2924 Nhdjdk32.exe 2480 Nbljfdoh.exe 2480 Nbljfdoh.exe 2988 Onbkle32.exe 2988 Onbkle32.exe 2984 Omjeba32.exe 2984 Omjeba32.exe 2996 Ofbikf32.exe 2996 Ofbikf32.exe 3048 Phhonn32.exe 3048 Phhonn32.exe 2252 Pihlhagn.exe 2252 Pihlhagn.exe 2200 Pdffcn32.exe 2200 Pdffcn32.exe 1728 Qiekadkl.exe 1728 Qiekadkl.exe 524 Alfdcp32.exe 524 Alfdcp32.exe 1040 Afqeaemk.exe 1040 Afqeaemk.exe 1532 Boncej32.exe 1532 Boncej32.exe 1796 Bkddjkej.exe 1796 Bkddjkej.exe 800 Bkgqpjch.exe 800 Bkgqpjch.exe 2080 Bmjjmbgc.exe 2080 Bmjjmbgc.exe 3032 Bmmgbbeq.exe 3032 Bmmgbbeq.exe 676 Bcgoolln.exe 676 Bcgoolln.exe 1692 Cmapna32.exe 1692 Cmapna32.exe 2824 Cgkanomj.exe 2824 Cgkanomj.exe 2812 Ckijdm32.exe 2812 Ckijdm32.exe 2620 Dahobdpe.exe 2620 Dahobdpe.exe 2952 Damhmc32.exe 2952 Damhmc32.exe 2112 Dbcnpk32.exe 2112 Dbcnpk32.exe 2248 Ebekej32.exe 2248 Ebekej32.exe 1616 Eajhgg32.exe 1616 Eajhgg32.exe 1240 Emailhfb.exe 1240 Emailhfb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebekej32.exe Dbcnpk32.exe File created C:\Windows\SysWOW64\Iekbmfdc.exe Iclfccmq.exe File created C:\Windows\SysWOW64\Gdfpegkn.dll Nndhpqma.exe File created C:\Windows\SysWOW64\Hghkmd32.dll Jfkdik32.exe File created C:\Windows\SysWOW64\Dfnalqca.dll Jaahgd32.exe File created C:\Windows\SysWOW64\Eciqkkpj.dll Blpibghg.exe File created C:\Windows\SysWOW64\Hokold32.dll Bglghdbc.exe File opened for modification C:\Windows\SysWOW64\Faopib32.exe Fpncbjqj.exe File created C:\Windows\SysWOW64\Efllcf32.exe Emdgjpkd.exe File created C:\Windows\SysWOW64\Ioochn32.exe Ifgooikk.exe File opened for modification C:\Windows\SysWOW64\Ngoinfao.exe Nndhpqma.exe File created C:\Windows\SysWOW64\Lgfjoqnd.dll Appfggjm.exe File created C:\Windows\SysWOW64\Qiekadkl.exe Pdffcn32.exe File created C:\Windows\SysWOW64\Joamihjm.dll Pdffcn32.exe File opened for modification C:\Windows\SysWOW64\Fefpfi32.exe Fpihnbmk.exe File opened for modification C:\Windows\SysWOW64\Fpkdca32.exe Fefpfi32.exe File created C:\Windows\SysWOW64\Lindbn32.dll Elleai32.exe File opened for modification C:\Windows\SysWOW64\Dahobdpe.exe Ckijdm32.exe File created C:\Windows\SysWOW64\Incgfl32.exe Iekbmfdc.exe File created C:\Windows\SysWOW64\Bkhjcing.exe Bfkakbpp.exe File opened for modification C:\Windows\SysWOW64\Eelfedpa.exe Emqaaabg.exe File created C:\Windows\SysWOW64\Ifndph32.exe Ikhqbo32.exe File created C:\Windows\SysWOW64\Ejkdfong.dll Kikpgk32.exe File created C:\Windows\SysWOW64\Pffjpg32.dll Anfjpa32.exe File created C:\Windows\SysWOW64\Qjikefbe.dll Epinhg32.exe File created C:\Windows\SysWOW64\Fdpjcaij.exe Ekgfkl32.exe File created C:\Windows\SysWOW64\Ldhpen32.dll Ejmljg32.exe File opened for modification C:\Windows\SysWOW64\Obniel32.exe Ogiegc32.exe File created C:\Windows\SysWOW64\Mqlenpag.dll Lkccob32.exe File created C:\Windows\SysWOW64\Fkficd32.dll Hgbanlfc.exe File created C:\Windows\SysWOW64\Pbjkiamp.dll Hnlqemal.exe File created C:\Windows\SysWOW64\Ngoinfao.exe Nndhpqma.exe File opened for modification C:\Windows\SysWOW64\Ohcohh32.exe Ollncgjq.exe File created C:\Windows\SysWOW64\Nbgcdmjb.exe Nfqbol32.exe File opened for modification C:\Windows\SysWOW64\Pfjbdn32.exe Obniel32.exe File created C:\Windows\SysWOW64\Iiodliep.exe Icbldbgi.exe File opened for modification C:\Windows\SysWOW64\Qoopie32.exe Phckglbq.exe File created C:\Windows\SysWOW64\Pjligacm.dll Hfiofefm.exe File created C:\Windows\SysWOW64\Kjenbk32.dll Hmighemp.exe File created C:\Windows\SysWOW64\Ckamihfm.exe Cjbpoeoj.exe File opened for modification C:\Windows\SysWOW64\Nfqbol32.exe Nlhnfg32.exe File created C:\Windows\SysWOW64\Nndhpqma.exe Mfhcknpf.exe File opened for modification C:\Windows\SysWOW64\Fpihnbmk.exe Fdbgia32.exe File created C:\Windows\SysWOW64\Ginefe32.exe Geplpfnh.exe File created C:\Windows\SysWOW64\Kdmdlc32.exe Klapha32.exe File created C:\Windows\SysWOW64\Lophcpam.exe Ldfgbb32.exe File created C:\Windows\SysWOW64\Jljkakol.dll Jlpmndba.exe File created C:\Windows\SysWOW64\Ppbfmdfo.exe Pfjbdn32.exe File created C:\Windows\SysWOW64\Plkchdiq.exe Peakkj32.exe File opened for modification C:\Windows\SysWOW64\Pbfcoedi.exe Pinnfonh.exe File created C:\Windows\SysWOW64\Moncom32.dll Apglgfde.exe File created C:\Windows\SysWOW64\Coaipi32.dll Edhmhl32.exe File created C:\Windows\SysWOW64\Fefpfi32.exe Fpihnbmk.exe File created C:\Windows\SysWOW64\Oleiokho.dll Fpihnbmk.exe File created C:\Windows\SysWOW64\Pajbdm32.dll Dbcnpk32.exe File opened for modification C:\Windows\SysWOW64\Mjeholco.exe Majdkifd.exe File created C:\Windows\SysWOW64\Dhpnlnon.dll Fefboabg.exe File created C:\Windows\SysWOW64\Qpaknfnf.dll Gkjahg32.exe File opened for modification C:\Windows\SysWOW64\Bdbkaoce.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Edbminqj.dll Cmjoaofc.exe File created C:\Windows\SysWOW64\Hpnikb32.dll Behnkm32.exe File created C:\Windows\SysWOW64\Qcmkoiee.dll Djfooa32.exe File created C:\Windows\SysWOW64\Dfomdk32.dll Ldfgbb32.exe File created C:\Windows\SysWOW64\Pfjbdn32.exe Obniel32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3888 3848 WerFault.exe 289 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boncej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmikkle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faopib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcojbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelfedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpalmaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjcmoqlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefboabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfdcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaahgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihgadhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbljfdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpodmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmonea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpncbjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmlnmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgdqef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glongpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgmgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppqqbjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbdpblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmkaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcbib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckijdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnihiad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efllcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjfae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeholco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkdik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkiiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkchdiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elleai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbkaoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjjmbgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdkdffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopgikop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfflhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahobdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebekej32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgllj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqgngk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioochn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moncom32.dll" Apglgfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Damhmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkohm32.dll" Mdcfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjeholco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjbdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekgfkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgokcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhmhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omjeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbacpl32.dll" Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmbclj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohcohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjlqpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkhjcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeofa32.dll" Qoopie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjcmoqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfjoqnd.dll" Appfggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefpfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgknok32.dll" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjenbk32.dll" Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpnifnh.dll" Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjjeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdgane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjaimek.dll" Obniel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmmdj32.dll" Bkddjkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbode32.dll" Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjoflc32.dll" Ppbfmdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apglgfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnenfjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkfkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldangbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apglgfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeqilpj.dll" Kaaeegkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blmikkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinbpend.dll" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjlbh32.dll" Fpncbjqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gngcgmgi.dll" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamihjm.dll" Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkddjkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckifmh32.dll" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdqfnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmmbajg.dll" Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggppdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnifhcei.dll" Dcgmgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phhonn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdqlkhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebekej32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2412 3012 81a9986ef164e39f82da2e718a0eb740N.exe 29 PID 3012 wrote to memory of 2412 3012 81a9986ef164e39f82da2e718a0eb740N.exe 29 PID 3012 wrote to memory of 2412 3012 81a9986ef164e39f82da2e718a0eb740N.exe 29 PID 3012 wrote to memory of 2412 3012 81a9986ef164e39f82da2e718a0eb740N.exe 29 PID 2412 wrote to memory of 2832 2412 Mhopcl32.exe 30 PID 2412 wrote to memory of 2832 2412 Mhopcl32.exe 30 PID 2412 wrote to memory of 2832 2412 Mhopcl32.exe 30 PID 2412 wrote to memory of 2832 2412 Mhopcl32.exe 30 PID 2832 wrote to memory of 2852 2832 Mqjehngm.exe 31 PID 2832 wrote to memory of 2852 2832 Mqjehngm.exe 31 PID 2832 wrote to memory of 2852 2832 Mqjehngm.exe 31 PID 2832 wrote to memory of 2852 2832 Mqjehngm.exe 31 PID 2852 wrote to memory of 3004 2852 Mgfjjh32.exe 32 PID 2852 wrote to memory of 3004 2852 Mgfjjh32.exe 32 PID 2852 wrote to memory of 3004 2852 Mgfjjh32.exe 32 PID 2852 wrote to memory of 3004 2852 Mgfjjh32.exe 32 PID 3004 wrote to memory of 2608 3004 Mflgkd32.exe 33 PID 3004 wrote to memory of 2608 3004 Mflgkd32.exe 33 PID 3004 wrote to memory of 2608 3004 Mflgkd32.exe 33 PID 3004 wrote to memory of 2608 3004 Mflgkd32.exe 33 PID 2608 wrote to memory of 2924 2608 Nbddfe32.exe 34 PID 2608 wrote to memory of 2924 2608 Nbddfe32.exe 34 PID 2608 wrote to memory of 2924 2608 Nbddfe32.exe 34 PID 2608 wrote to memory of 2924 2608 Nbddfe32.exe 34 PID 2924 wrote to memory of 2480 2924 Nhdjdk32.exe 35 PID 2924 wrote to memory of 2480 2924 Nhdjdk32.exe 35 PID 2924 wrote to memory of 2480 2924 Nhdjdk32.exe 35 PID 2924 wrote to memory of 2480 2924 Nhdjdk32.exe 35 PID 2480 wrote to memory of 2988 2480 Nbljfdoh.exe 36 PID 2480 wrote to memory of 2988 2480 Nbljfdoh.exe 36 PID 2480 wrote to memory of 2988 2480 Nbljfdoh.exe 36 PID 2480 wrote to memory of 2988 2480 Nbljfdoh.exe 36 PID 2988 wrote to memory of 2984 2988 Onbkle32.exe 37 PID 2988 wrote to memory of 2984 2988 Onbkle32.exe 37 PID 2988 wrote to memory of 2984 2988 Onbkle32.exe 37 PID 2988 wrote to memory of 2984 2988 Onbkle32.exe 37 PID 2984 wrote to memory of 2996 2984 Omjeba32.exe 38 PID 2984 wrote to memory of 2996 2984 Omjeba32.exe 38 PID 2984 wrote to memory of 2996 2984 Omjeba32.exe 38 PID 2984 wrote to memory of 2996 2984 Omjeba32.exe 38 PID 2996 wrote to memory of 3048 2996 Ofbikf32.exe 39 PID 2996 wrote to memory of 3048 2996 Ofbikf32.exe 39 PID 2996 wrote to memory of 3048 2996 Ofbikf32.exe 39 PID 2996 wrote to memory of 3048 2996 Ofbikf32.exe 39 PID 3048 wrote to memory of 2252 3048 Phhonn32.exe 40 PID 3048 wrote to memory of 2252 3048 Phhonn32.exe 40 PID 3048 wrote to memory of 2252 3048 Phhonn32.exe 40 PID 3048 wrote to memory of 2252 3048 Phhonn32.exe 40 PID 2252 wrote to memory of 2200 2252 Pihlhagn.exe 41 PID 2252 wrote to memory of 2200 2252 Pihlhagn.exe 41 PID 2252 wrote to memory of 2200 2252 Pihlhagn.exe 41 PID 2252 wrote to memory of 2200 2252 Pihlhagn.exe 41 PID 2200 wrote to memory of 1728 2200 Pdffcn32.exe 42 PID 2200 wrote to memory of 1728 2200 Pdffcn32.exe 42 PID 2200 wrote to memory of 1728 2200 Pdffcn32.exe 42 PID 2200 wrote to memory of 1728 2200 Pdffcn32.exe 42 PID 1728 wrote to memory of 524 1728 Qiekadkl.exe 43 PID 1728 wrote to memory of 524 1728 Qiekadkl.exe 43 PID 1728 wrote to memory of 524 1728 Qiekadkl.exe 43 PID 1728 wrote to memory of 524 1728 Qiekadkl.exe 43 PID 524 wrote to memory of 1040 524 Alfdcp32.exe 44 PID 524 wrote to memory of 1040 524 Alfdcp32.exe 44 PID 524 wrote to memory of 1040 524 Alfdcp32.exe 44 PID 524 wrote to memory of 1040 524 Alfdcp32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a9986ef164e39f82da2e718a0eb740N.exe"C:\Users\Admin\AppData\Local\Temp\81a9986ef164e39f82da2e718a0eb740N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Damhmc32.exeC:\Windows\system32\Damhmc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Eajhgg32.exeC:\Windows\system32\Eajhgg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe33⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Ekgfkl32.exeC:\Windows\system32\Ekgfkl32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe35⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Fdbgia32.exeC:\Windows\system32\Fdbgia32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe40⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe42⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe44⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe45⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe49⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe50⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe61⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe63⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe64⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe66⤵PID:1140
-
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe68⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe69⤵PID:1256
-
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe70⤵PID:2372
-
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe71⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe72⤵PID:2720
-
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe73⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Klbfbg32.exeC:\Windows\system32\Klbfbg32.exe74⤵PID:2848
-
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe76⤵PID:2656
-
C:\Windows\SysWOW64\Klgpmgod.exeC:\Windows\system32\Klgpmgod.exe77⤵PID:2324
-
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe78⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe79⤵PID:2928
-
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe80⤵PID:2228
-
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe81⤵PID:1668
-
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe82⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe83⤵PID:2180
-
C:\Windows\SysWOW64\Llgllj32.exeC:\Windows\system32\Llgllj32.exe84⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe85⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe87⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1252 -
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe91⤵PID:652
-
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe92⤵PID:2072
-
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe93⤵PID:2660
-
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe94⤵PID:2676
-
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe95⤵PID:1628
-
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe97⤵PID:1976
-
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe98⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe100⤵PID:2284
-
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe101⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe102⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe107⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Qoopie32.exeC:\Windows\system32\Qoopie32.exe108⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe109⤵PID:2452
-
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe110⤵PID:1568
-
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe111⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe112⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe114⤵PID:2496
-
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe115⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe116⤵PID:1368
-
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe119⤵PID:1792
-
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-