Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6f5ecbb4679b74af1d61591af75869f0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6f5ecbb4679b74af1d61591af75869f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6f5ecbb4679b74af1d61591af75869f0N.exe
-
Size
72KB
-
MD5
6f5ecbb4679b74af1d61591af75869f0
-
SHA1
b3c30e8537d11b1c7f2cdf51063b108560d911b5
-
SHA256
054d51a64374139fc972d966e54a484759263843dc618ba4aac6dd07f008a210
-
SHA512
4e4638b313d9979ac30ffc66411d5d43388322345d1a35832fd8f5080e32eb6449c9714a48f38bcb2f27ebcee183c780d3cddd169a2fb4ee483f2af704155ddc
-
SSDEEP
768:5uHQA7ft4A4K8oPTZY5CI1O2Ew8Qow/5lVn5mhf9/LQYVogvd/Wu/hzhcujpVsMK:XA7ft4AHNY531MJAlV5mD/LagleEz9w
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egpfheoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnnipnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkibbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqkdenfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpbalaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppogahko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfdmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjknfin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcfbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilpaqmkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgibkki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefkkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcnmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anepooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpfheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fklohgie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgbpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjlhcegl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlajm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlajm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faegda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbghpjih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjkdcii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhodgebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opaggdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pofqhdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnlia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbjmodph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elolfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkdknq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajidnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnifia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpdeghgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcokhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgionbbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmljodk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibglhhdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabdol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penlon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omnapi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belhem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miqmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dophid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmdljal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnanceem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oficoo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2256 Lhlgaedj.exe 2112 Lkkcmqcn.exe 2324 Lnipilbb.exe 2784 Lhodgebh.exe 1768 Lkmpcpak.exe 2584 Lbghpjih.exe 2596 Lhaqld32.exe 1976 Ljbmdmfc.exe 2936 Lbieejff.exe 2388 Lgfmmaem.exe 1772 Ljdjildq.exe 932 Lqnbffkn.exe 1820 Mghjcq32.exe 2488 Mqqolfik.exe 584 Mcokhaho.exe 2192 Milcphgf.exe 2352 Mmgoqg32.exe 1404 Mfpdim32.exe 1176 Mjkpjkni.exe 2316 Mmjlfgml.exe 288 Mphhbblp.exe 904 Mfbqol32.exe 1536 Miqmkh32.exe 1452 Mnnecoah.exe 1924 Mbiadm32.exe 2160 Megmpi32.exe 1648 Npmana32.exe 1068 Nannejni.exe 2464 Nejjfh32.exe 2572 Naqkki32.exe 2836 Nelgkhdp.exe 3056 Nacgpi32.exe 2004 Ndadld32.exe 2940 Nhmpmcaq.exe 3044 Njklioqd.exe 1704 Nfbmnpfh.exe 1524 Niqijkel.exe 2612 Nagakhfn.exe 2884 Nbincq32.exe 272 Omnapi32.exe 2524 Opmnle32.exe 1256 Oiebej32.exe 2356 Opokbdhc.exe 2880 Oobkna32.exe 1008 Oficoo32.exe 2272 Opaggdfa.exe 1844 Obpccped.exe 2300 Oabdol32.exe 1812 Oijlpjma.exe 2452 Ohmllf32.exe 2156 Okkhhb32.exe 2240 Oogdiqki.exe 2700 Oaeqeljm.exe 2916 Odcmagip.exe 2544 Olkebejb.exe 2752 Okmena32.exe 560 Pmlajm32.exe 1784 Pagmjlhj.exe 948 Pdfifg32.exe 2644 Pgdfbb32.exe 1288 Pokndp32.exe 2196 Pajjpk32.exe 2888 Pdhflg32.exe 1696 Phcbmend.exe -
Loads dropped DLL 64 IoCs
pid Process 2416 6f5ecbb4679b74af1d61591af75869f0N.exe 2416 6f5ecbb4679b74af1d61591af75869f0N.exe 2256 Lhlgaedj.exe 2256 Lhlgaedj.exe 2112 Lkkcmqcn.exe 2112 Lkkcmqcn.exe 2324 Lnipilbb.exe 2324 Lnipilbb.exe 2784 Lhodgebh.exe 2784 Lhodgebh.exe 1768 Lkmpcpak.exe 1768 Lkmpcpak.exe 2584 Lbghpjih.exe 2584 Lbghpjih.exe 2596 Lhaqld32.exe 2596 Lhaqld32.exe 1976 Ljbmdmfc.exe 1976 Ljbmdmfc.exe 2936 Lbieejff.exe 2936 Lbieejff.exe 2388 Lgfmmaem.exe 2388 Lgfmmaem.exe 1772 Ljdjildq.exe 1772 Ljdjildq.exe 932 Lqnbffkn.exe 932 Lqnbffkn.exe 1820 Mghjcq32.exe 1820 Mghjcq32.exe 2488 Mqqolfik.exe 2488 Mqqolfik.exe 584 Mcokhaho.exe 584 Mcokhaho.exe 2192 Milcphgf.exe 2192 Milcphgf.exe 2352 Mmgoqg32.exe 2352 Mmgoqg32.exe 1404 Mfpdim32.exe 1404 Mfpdim32.exe 1176 Mjkpjkni.exe 1176 Mjkpjkni.exe 2316 Mmjlfgml.exe 2316 Mmjlfgml.exe 288 Mphhbblp.exe 288 Mphhbblp.exe 904 Mfbqol32.exe 904 Mfbqol32.exe 1536 Miqmkh32.exe 1536 Miqmkh32.exe 1452 Mnnecoah.exe 1452 Mnnecoah.exe 1924 Mbiadm32.exe 1924 Mbiadm32.exe 2160 Megmpi32.exe 2160 Megmpi32.exe 1648 Npmana32.exe 1648 Npmana32.exe 1068 Nannejni.exe 1068 Nannejni.exe 2464 Nejjfh32.exe 2464 Nejjfh32.exe 2572 Naqkki32.exe 2572 Naqkki32.exe 2836 Nelgkhdp.exe 2836 Nelgkhdp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Phcbmend.exe Pdhflg32.exe File created C:\Windows\SysWOW64\Fdfpfm32.exe Fqkdenfj.exe File created C:\Windows\SysWOW64\Nacgpi32.exe Nelgkhdp.exe File created C:\Windows\SysWOW64\Odcmagip.exe Oaeqeljm.exe File opened for modification C:\Windows\SysWOW64\Bmcpfj32.exe Belhem32.exe File created C:\Windows\SysWOW64\Cflanc32.exe Cbpendha.exe File created C:\Windows\SysWOW64\Cignli32.dll Epmdljal.exe File created C:\Windows\SysWOW64\Pmqkellk.exe Pkboiamh.exe File opened for modification C:\Windows\SysWOW64\Bijakkmc.exe Bfldopno.exe File created C:\Windows\SysWOW64\Emjoep32.exe Egpfheoa.exe File opened for modification C:\Windows\SysWOW64\Gnldhf32.exe Gknhlj32.exe File created C:\Windows\SysWOW64\Ccolcf32.dll Ahcoli32.exe File created C:\Windows\SysWOW64\Eopehg32.exe Epmdljal.exe File created C:\Windows\SysWOW64\Gjeedcjh.exe Gggihhkd.exe File created C:\Windows\SysWOW64\Gldgomqc.dll Hnegod32.exe File opened for modification C:\Windows\SysWOW64\Iifnpagn.exe Ifhacfhj.exe File created C:\Windows\SysWOW64\Ihmbpdjj.dll Milcphgf.exe File created C:\Windows\SysWOW64\Plhdkhoq.exe Pijhompm.exe File created C:\Windows\SysWOW64\Egaepoqh.dll Pijhompm.exe File created C:\Windows\SysWOW64\Kapemg32.dll Bbnlia32.exe File opened for modification C:\Windows\SysWOW64\Hiahfo32.exe Gdflepqo.exe File created C:\Windows\SysWOW64\Fjmnbnnd.dll Pdmpgfae.exe File created C:\Windows\SysWOW64\Dephbjgj.dll Qagiio32.exe File created C:\Windows\SysWOW64\Agmehd32.exe Acbigfii.exe File opened for modification C:\Windows\SysWOW64\Hkbagjfi.exe Hidekn32.exe File opened for modification C:\Windows\SysWOW64\Qpfmageg.exe Qhoeqide.exe File created C:\Windows\SysWOW64\Qecejnco.exe Qagiio32.exe File created C:\Windows\SysWOW64\Aopcnbfj.exe Agikmeeg.exe File opened for modification C:\Windows\SysWOW64\Gnaadb32.exe Gjeedcjh.exe File created C:\Windows\SysWOW64\Plfhfiqc.exe Pncgjl32.exe File created C:\Windows\SysWOW64\Qpfmageg.exe Qhoeqide.exe File opened for modification C:\Windows\SysWOW64\Ajnnipnc.exe Acdemegf.exe File opened for modification C:\Windows\SysWOW64\Bcfbbe32.exe Bqhffj32.exe File opened for modification C:\Windows\SysWOW64\Cjbccb32.exe Cgdggg32.exe File created C:\Windows\SysWOW64\Fdlnmk32.dll Okkhhb32.exe File created C:\Windows\SysWOW64\Nhdhboaf.dll Hjjknfin.exe File created C:\Windows\SysWOW64\Enfehe32.dll Hekfpo32.exe File opened for modification C:\Windows\SysWOW64\Nannejni.exe Npmana32.exe File created C:\Windows\SysWOW64\Diofenki.exe Dbenhc32.exe File opened for modification C:\Windows\SysWOW64\Mnnecoah.exe Miqmkh32.exe File created C:\Windows\SysWOW64\Fgelbhmg.exe Fdfpfm32.exe File opened for modification C:\Windows\SysWOW64\Mqqolfik.exe Mghjcq32.exe File created C:\Windows\SysWOW64\Qokjcc32.exe Qecejnco.exe File created C:\Windows\SysWOW64\Nbeeolfd.dll Bbpioa32.exe File created C:\Windows\SysWOW64\Cpbiaiin.exe Cmclem32.exe File created C:\Windows\SysWOW64\Jmigdjnd.dll Dbbacdfo.exe File opened for modification C:\Windows\SysWOW64\Ggifmgia.exe Gobnljhp.exe File created C:\Windows\SysWOW64\Fknlmggc.exe Fgbpmh32.exe File created C:\Windows\SysWOW64\Dnfchj32.dll Gdimlllq.exe File opened for modification C:\Windows\SysWOW64\Hjjknfin.exe Hglobj32.exe File created C:\Windows\SysWOW64\Iiaddb32.exe Ifchhf32.exe File created C:\Windows\SysWOW64\Hcjbee32.dll Pdjcaf32.exe File opened for modification C:\Windows\SysWOW64\Pgionbbl.exe Pdjcaf32.exe File created C:\Windows\SysWOW64\Nejjfh32.exe Nannejni.exe File created C:\Windows\SysWOW64\Gjabnoie.dll Ckmfbf32.exe File created C:\Windows\SysWOW64\Hcnech32.dll Gobnljhp.exe File opened for modification C:\Windows\SysWOW64\Giolpo32.exe Gddppp32.exe File created C:\Windows\SysWOW64\Oajhjeqh.dll Ljdjildq.exe File opened for modification C:\Windows\SysWOW64\Omnapi32.exe Nbincq32.exe File created C:\Windows\SysWOW64\Kgjpfago.dll Oogdiqki.exe File opened for modification C:\Windows\SysWOW64\Bjcgdojn.exe Bblocaik.exe File opened for modification C:\Windows\SysWOW64\Bmacqj32.exe Bjcgdojn.exe File created C:\Windows\SysWOW64\Fqkdenfj.exe Fnlhibff.exe File opened for modification C:\Windows\SysWOW64\Fjchnclk.exe Fgelbhmg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3328 3256 WerFault.exe 292 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkpjkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnpdaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjepib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angmdoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnlia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgionbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhoeqide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diofenki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milcphgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklohgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbecce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmoqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpgfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfmageg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfdmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmcaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fieiephm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlgaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelgkhdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiebej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pokndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqijkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfeonq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penlon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqqolfik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbacdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehpoaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkdenfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkenmidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqjbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdjildq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbmnpfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobkna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bngicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbjljpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbnfmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naqkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbincq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmllf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faanibeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donlcdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpfheoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqomqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmdmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmpmcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daoeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobndnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlhibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifchhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipilbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjcaf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diljpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqknikcm.dll" Afebpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfikmhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlmcaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbpendha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dophid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmjlfgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbdehmm.dll" Pkboiamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndmik32.dll" Hidekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddkdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmdljal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnonab32.dll" Fkibbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckoinol.dll" Cpdeghgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Megmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aalcdngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfoqm32.dll" Fdafkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidcdc32.dll" Fphgpnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifdifgc.dll" Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfjmn32.dll" Bqjcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcnmne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aomghchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhmblljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqeeabhm.dll" Gqomqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbincq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppogahko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egaepoqh.dll" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbihl32.dll" Lhaqld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkba32.dll" Elmoqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhqc32.dll" Acbigfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfobndnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknmgkpa.dll" Bjcgdojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjjknfin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcbogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqnbffkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjkpjkni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdfifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfepljba.dll" Hadckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himipmhj.dll" Akiahcik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjepib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnajicja.dll" Mbiadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceoec32.dll" Oijlpjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbkag32.dll" Gfclic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbika32.dll" Hbjmodph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpjfblj.dll" Eopehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkiab32.dll" Lnipilbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plfhfiqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifeenfjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inqjbhhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfclic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibinmff.dll" Mmgoqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgfbfkh.dll" Bfldopno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjeedcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggifmgia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjleem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmocjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edbjljpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbecce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giolpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bickkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklpqgcc.dll" Qoimmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgdggg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2256 2416 6f5ecbb4679b74af1d61591af75869f0N.exe 29 PID 2416 wrote to memory of 2256 2416 6f5ecbb4679b74af1d61591af75869f0N.exe 29 PID 2416 wrote to memory of 2256 2416 6f5ecbb4679b74af1d61591af75869f0N.exe 29 PID 2416 wrote to memory of 2256 2416 6f5ecbb4679b74af1d61591af75869f0N.exe 29 PID 2256 wrote to memory of 2112 2256 Lhlgaedj.exe 30 PID 2256 wrote to memory of 2112 2256 Lhlgaedj.exe 30 PID 2256 wrote to memory of 2112 2256 Lhlgaedj.exe 30 PID 2256 wrote to memory of 2112 2256 Lhlgaedj.exe 30 PID 2112 wrote to memory of 2324 2112 Lkkcmqcn.exe 31 PID 2112 wrote to memory of 2324 2112 Lkkcmqcn.exe 31 PID 2112 wrote to memory of 2324 2112 Lkkcmqcn.exe 31 PID 2112 wrote to memory of 2324 2112 Lkkcmqcn.exe 31 PID 2324 wrote to memory of 2784 2324 Lnipilbb.exe 32 PID 2324 wrote to memory of 2784 2324 Lnipilbb.exe 32 PID 2324 wrote to memory of 2784 2324 Lnipilbb.exe 32 PID 2324 wrote to memory of 2784 2324 Lnipilbb.exe 32 PID 2784 wrote to memory of 1768 2784 Lhodgebh.exe 33 PID 2784 wrote to memory of 1768 2784 Lhodgebh.exe 33 PID 2784 wrote to memory of 1768 2784 Lhodgebh.exe 33 PID 2784 wrote to memory of 1768 2784 Lhodgebh.exe 33 PID 1768 wrote to memory of 2584 1768 Lkmpcpak.exe 34 PID 1768 wrote to memory of 2584 1768 Lkmpcpak.exe 34 PID 1768 wrote to memory of 2584 1768 Lkmpcpak.exe 34 PID 1768 wrote to memory of 2584 1768 Lkmpcpak.exe 34 PID 2584 wrote to memory of 2596 2584 Lbghpjih.exe 35 PID 2584 wrote to memory of 2596 2584 Lbghpjih.exe 35 PID 2584 wrote to memory of 2596 2584 Lbghpjih.exe 35 PID 2584 wrote to memory of 2596 2584 Lbghpjih.exe 35 PID 2596 wrote to memory of 1976 2596 Lhaqld32.exe 36 PID 2596 wrote to memory of 1976 2596 Lhaqld32.exe 36 PID 2596 wrote to memory of 1976 2596 Lhaqld32.exe 36 PID 2596 wrote to memory of 1976 2596 Lhaqld32.exe 36 PID 1976 wrote to memory of 2936 1976 Ljbmdmfc.exe 37 PID 1976 wrote to memory of 2936 1976 Ljbmdmfc.exe 37 PID 1976 wrote to memory of 2936 1976 Ljbmdmfc.exe 37 PID 1976 wrote to memory of 2936 1976 Ljbmdmfc.exe 37 PID 2936 wrote to memory of 2388 2936 Lbieejff.exe 38 PID 2936 wrote to memory of 2388 2936 Lbieejff.exe 38 PID 2936 wrote to memory of 2388 2936 Lbieejff.exe 38 PID 2936 wrote to memory of 2388 2936 Lbieejff.exe 38 PID 2388 wrote to memory of 1772 2388 Lgfmmaem.exe 39 PID 2388 wrote to memory of 1772 2388 Lgfmmaem.exe 39 PID 2388 wrote to memory of 1772 2388 Lgfmmaem.exe 39 PID 2388 wrote to memory of 1772 2388 Lgfmmaem.exe 39 PID 1772 wrote to memory of 932 1772 Ljdjildq.exe 40 PID 1772 wrote to memory of 932 1772 Ljdjildq.exe 40 PID 1772 wrote to memory of 932 1772 Ljdjildq.exe 40 PID 1772 wrote to memory of 932 1772 Ljdjildq.exe 40 PID 932 wrote to memory of 1820 932 Lqnbffkn.exe 41 PID 932 wrote to memory of 1820 932 Lqnbffkn.exe 41 PID 932 wrote to memory of 1820 932 Lqnbffkn.exe 41 PID 932 wrote to memory of 1820 932 Lqnbffkn.exe 41 PID 1820 wrote to memory of 2488 1820 Mghjcq32.exe 42 PID 1820 wrote to memory of 2488 1820 Mghjcq32.exe 42 PID 1820 wrote to memory of 2488 1820 Mghjcq32.exe 42 PID 1820 wrote to memory of 2488 1820 Mghjcq32.exe 42 PID 2488 wrote to memory of 584 2488 Mqqolfik.exe 43 PID 2488 wrote to memory of 584 2488 Mqqolfik.exe 43 PID 2488 wrote to memory of 584 2488 Mqqolfik.exe 43 PID 2488 wrote to memory of 584 2488 Mqqolfik.exe 43 PID 584 wrote to memory of 2192 584 Mcokhaho.exe 44 PID 584 wrote to memory of 2192 584 Mcokhaho.exe 44 PID 584 wrote to memory of 2192 584 Mcokhaho.exe 44 PID 584 wrote to memory of 2192 584 Mcokhaho.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f5ecbb4679b74af1d61591af75869f0N.exe"C:\Users\Admin\AppData\Local\Temp\6f5ecbb4679b74af1d61591af75869f0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Lhlgaedj.exeC:\Windows\system32\Lhlgaedj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Lkkcmqcn.exeC:\Windows\system32\Lkkcmqcn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Lnipilbb.exeC:\Windows\system32\Lnipilbb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Lhodgebh.exeC:\Windows\system32\Lhodgebh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lkmpcpak.exeC:\Windows\system32\Lkmpcpak.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Lbghpjih.exeC:\Windows\system32\Lbghpjih.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lhaqld32.exeC:\Windows\system32\Lhaqld32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ljbmdmfc.exeC:\Windows\system32\Ljbmdmfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Lbieejff.exeC:\Windows\system32\Lbieejff.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Lgfmmaem.exeC:\Windows\system32\Lgfmmaem.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ljdjildq.exeC:\Windows\system32\Ljdjildq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Lqnbffkn.exeC:\Windows\system32\Lqnbffkn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Mghjcq32.exeC:\Windows\system32\Mghjcq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Mqqolfik.exeC:\Windows\system32\Mqqolfik.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Mcokhaho.exeC:\Windows\system32\Mcokhaho.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Milcphgf.exeC:\Windows\system32\Milcphgf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Mmgoqg32.exeC:\Windows\system32\Mmgoqg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Mfpdim32.exeC:\Windows\system32\Mfpdim32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Mjkpjkni.exeC:\Windows\system32\Mjkpjkni.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Mmjlfgml.exeC:\Windows\system32\Mmjlfgml.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Mphhbblp.exeC:\Windows\system32\Mphhbblp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Mfbqol32.exeC:\Windows\system32\Mfbqol32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Miqmkh32.exeC:\Windows\system32\Miqmkh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Mnnecoah.exeC:\Windows\system32\Mnnecoah.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Megmpi32.exeC:\Windows\system32\Megmpi32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Npmana32.exeC:\Windows\system32\Npmana32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Nannejni.exeC:\Windows\system32\Nannejni.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Nejjfh32.exeC:\Windows\system32\Nejjfh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Naqkki32.exeC:\Windows\system32\Naqkki32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Nelgkhdp.exeC:\Windows\system32\Nelgkhdp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Nacgpi32.exeC:\Windows\system32\Nacgpi32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ndadld32.exeC:\Windows\system32\Ndadld32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Nhmpmcaq.exeC:\Windows\system32\Nhmpmcaq.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Njklioqd.exeC:\Windows\system32\Njklioqd.exe36⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nfbmnpfh.exeC:\Windows\system32\Nfbmnpfh.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Niqijkel.exeC:\Windows\system32\Niqijkel.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Nagakhfn.exeC:\Windows\system32\Nagakhfn.exe39⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Nbincq32.exeC:\Windows\system32\Nbincq32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Omnapi32.exeC:\Windows\system32\Omnapi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Opmnle32.exeC:\Windows\system32\Opmnle32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Oiebej32.exeC:\Windows\system32\Oiebej32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Opokbdhc.exeC:\Windows\system32\Opokbdhc.exe44⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Oobkna32.exeC:\Windows\system32\Oobkna32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Oficoo32.exeC:\Windows\system32\Oficoo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Opaggdfa.exeC:\Windows\system32\Opaggdfa.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Obpccped.exeC:\Windows\system32\Obpccped.exe48⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Oabdol32.exeC:\Windows\system32\Oabdol32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Oijlpjma.exeC:\Windows\system32\Oijlpjma.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Ohmllf32.exeC:\Windows\system32\Ohmllf32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Oogdiqki.exeC:\Windows\system32\Oogdiqki.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Oaeqeljm.exeC:\Windows\system32\Oaeqeljm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Odcmagip.exeC:\Windows\system32\Odcmagip.exe55⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Olkebejb.exeC:\Windows\system32\Olkebejb.exe56⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe57⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pmlajm32.exeC:\Windows\system32\Pmlajm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Pagmjlhj.exeC:\Windows\system32\Pagmjlhj.exe59⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pdfifg32.exeC:\Windows\system32\Pdfifg32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe61⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pokndp32.exeC:\Windows\system32\Pokndp32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Pajjpk32.exeC:\Windows\system32\Pajjpk32.exe63⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pdhflg32.exeC:\Windows\system32\Pdhflg32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Phcbmend.exeC:\Windows\system32\Phcbmend.exe65⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Pmqkellk.exeC:\Windows\system32\Pmqkellk.exe67⤵PID:3024
-
C:\Windows\SysWOW64\Ppogahko.exeC:\Windows\system32\Ppogahko.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Pgionbbl.exeC:\Windows\system32\Pgionbbl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Pkdknq32.exeC:\Windows\system32\Pkdknq32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Pncgjl32.exeC:\Windows\system32\Pncgjl32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Plfhfiqc.exeC:\Windows\system32\Plfhfiqc.exe73⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Penlon32.exeC:\Windows\system32\Penlon32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Pijhompm.exeC:\Windows\system32\Pijhompm.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Plhdkhoq.exeC:\Windows\system32\Plhdkhoq.exe77⤵PID:1544
-
C:\Windows\SysWOW64\Ppcplg32.exeC:\Windows\system32\Ppcplg32.exe78⤵PID:2532
-
C:\Windows\SysWOW64\Pofqhdnd.exeC:\Windows\system32\Pofqhdnd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Pgnhiaof.exeC:\Windows\system32\Pgnhiaof.exe80⤵PID:2492
-
C:\Windows\SysWOW64\Qjleem32.exeC:\Windows\system32\Qjleem32.exe81⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Qpfmageg.exeC:\Windows\system32\Qpfmageg.exe83⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Qoimmc32.exeC:\Windows\system32\Qoimmc32.exe84⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Qagiio32.exeC:\Windows\system32\Qagiio32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Qecejnco.exeC:\Windows\system32\Qecejnco.exe86⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Qokjcc32.exeC:\Windows\system32\Qokjcc32.exe87⤵PID:2748
-
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe88⤵PID:2660
-
C:\Windows\SysWOW64\Afebpmal.exeC:\Windows\system32\Afebpmal.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe90⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Ahcoli32.exeC:\Windows\system32\Ahcoli32.exe91⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Aomghchl.exeC:\Windows\system32\Aomghchl.exe92⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Aalcdngp.exeC:\Windows\system32\Aalcdngp.exe93⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Afgoem32.exeC:\Windows\system32\Afgoem32.exe94⤵PID:408
-
C:\Windows\SysWOW64\Ahfkah32.exeC:\Windows\system32\Ahfkah32.exe95⤵PID:2496
-
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe96⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe97⤵PID:2508
-
C:\Windows\SysWOW64\Abnpjnem.exeC:\Windows\system32\Abnpjnem.exe98⤵PID:2064
-
C:\Windows\SysWOW64\Admlfida.exeC:\Windows\system32\Admlfida.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe100⤵PID:2776
-
C:\Windows\SysWOW64\Ajidnp32.exeC:\Windows\system32\Ajidnp32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe103⤵PID:944
-
C:\Windows\SysWOW64\Acbigfii.exeC:\Windows\system32\Acbigfii.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe105⤵PID:340
-
C:\Windows\SysWOW64\Akiahcik.exeC:\Windows\system32\Akiahcik.exe106⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe107⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe108⤵PID:980
-
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe109⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Ajnnipnc.exeC:\Windows\system32\Ajnnipnc.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:532 -
C:\Windows\SysWOW64\Bqhffj32.exeC:\Windows\system32\Bqhffj32.exe111⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Bcfbbe32.exeC:\Windows\system32\Bcfbbe32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Bgbncdmm.exeC:\Windows\system32\Bgbncdmm.exe113⤵PID:2824
-
C:\Windows\SysWOW64\Bfeonq32.exeC:\Windows\system32\Bfeonq32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Bickkl32.exeC:\Windows\system32\Bickkl32.exe115⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe116⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Bomcgfjh.exeC:\Windows\system32\Bomcgfjh.exe117⤵PID:1060
-
C:\Windows\SysWOW64\Bblocaik.exeC:\Windows\system32\Bblocaik.exe118⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Bjcgdojn.exeC:\Windows\system32\Bjcgdojn.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Bmacqj32.exeC:\Windows\system32\Bmacqj32.exe120⤵PID:2500
-
C:\Windows\SysWOW64\Bcklmdqn.exeC:\Windows\system32\Bcklmdqn.exe121⤵PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-