Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
383c8f7ea007e40eb7e2c93b9abd0f90N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
383c8f7ea007e40eb7e2c93b9abd0f90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
383c8f7ea007e40eb7e2c93b9abd0f90N.exe
-
Size
52KB
-
MD5
383c8f7ea007e40eb7e2c93b9abd0f90
-
SHA1
dd65066400cfdee5dc07c336242e6080687b0105
-
SHA256
db6a4272cd5c5270c8eb755ed2f422ff409da7a8fa85871f0953331953440332
-
SHA512
9ef92fbf6fac15909be79f6e3aa0d10424c1b8fdd0154a04df69b8aa167cb92de8bdde15b835feef065217fd757265d894787bdba6772c38e3beb053ec1a042d
-
SSDEEP
768:DtVguoLhfdykG1F+9nNe8jK7dZ6qRtQ/E/l4TvVzDv72BH/1H57:DUzyQjKRZBRtQ/E/ITWt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmegaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnklol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoimmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohiafag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feklja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maplcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koacjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahnjefcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coghfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgeedno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonqca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdnjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqleqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicfpkci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplofekp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohoeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehechn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcggjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efolib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjcflkdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfmacce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdjfmed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbhecjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddoiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbegmqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgogfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkookd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbooqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diifph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfmacce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiabbicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idojon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfliqmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekobn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibdff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenppk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdbmkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obniel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmoao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecdpmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgienc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmqjoljn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifphj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdjaeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoenlcf.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Eponmmaj.exe 1144 Eelfedpa.exe 2768 Flhkhnel.exe 2836 Feppqc32.exe 2928 Fagqed32.exe 2740 Faimkd32.exe 1228 Fkbadifn.exe 1396 Fgibijkb.exe 2948 Gdmcbojl.exe 2680 Gdophn32.exe 1720 Gilhpe32.exe 2964 Gebiefle.exe 1988 Gcfioj32.exe 2448 Ghcbga32.exe 2424 Hkdkhl32.exe 1632 Hhhkbqea.exe 2824 Hqcpfcbl.exe 2180 Hqemlbqi.exe 2444 Hmlmacfn.exe 1780 Hgbanlfc.exe 1964 Hqjfgb32.exe 1292 Ijbjpg32.exe 1860 Ifikehii.exe 2132 Icmlnmgb.exe 2280 Iodlcnmf.exe 1508 Ifndph32.exe 1100 Igoagpja.exe 1688 Iniidj32.exe 2508 Ijpjik32.exe 1608 Jeenfd32.exe 2848 Jfigdl32.exe 2812 Jmcpqfba.exe 2672 Jgidnobg.exe 2660 Jpdibapb.exe 1784 Kmjfae32.exe 2220 Kbgnil32.exe 1072 Kehgkgha.exe 2520 Kjdpcnfi.exe 2956 Khhpmbeb.exe 1568 Kdoaackf.exe 1620 Koeeoljm.exe 2436 Lgpjcnhh.exe 888 Lddjmb32.exe 2464 Lgdcom32.exe 2092 Lophcpam.exe 692 Lejppj32.exe 1548 Lldhldpg.exe 2412 Lelmei32.exe 1616 Majdkifd.exe 2536 Mckpba32.exe 1504 Mjeholco.exe 2708 Mdkmld32.exe 1724 Nflidmic.exe 2308 Nqamaeii.exe 2736 Nfnfjmgp.exe 2884 Nogjbbma.exe 1660 Nfqbol32.exe 2628 Nkmkgc32.exe 2488 Nfcoel32.exe 2196 Nokdnail.exe 2404 Nbjpjm32.exe 768 Nonqca32.exe 2372 Oifelfni.exe 2416 Obniel32.exe -
Loads dropped DLL 64 IoCs
pid Process 2564 383c8f7ea007e40eb7e2c93b9abd0f90N.exe 2564 383c8f7ea007e40eb7e2c93b9abd0f90N.exe 2192 Eponmmaj.exe 2192 Eponmmaj.exe 1144 Eelfedpa.exe 1144 Eelfedpa.exe 2768 Flhkhnel.exe 2768 Flhkhnel.exe 2836 Feppqc32.exe 2836 Feppqc32.exe 2928 Fagqed32.exe 2928 Fagqed32.exe 2740 Faimkd32.exe 2740 Faimkd32.exe 1228 Fkbadifn.exe 1228 Fkbadifn.exe 1396 Fgibijkb.exe 1396 Fgibijkb.exe 2948 Gdmcbojl.exe 2948 Gdmcbojl.exe 2680 Gdophn32.exe 2680 Gdophn32.exe 1720 Gilhpe32.exe 1720 Gilhpe32.exe 2964 Gebiefle.exe 2964 Gebiefle.exe 1988 Gcfioj32.exe 1988 Gcfioj32.exe 2448 Ghcbga32.exe 2448 Ghcbga32.exe 2424 Hkdkhl32.exe 2424 Hkdkhl32.exe 1632 Hhhkbqea.exe 1632 Hhhkbqea.exe 2824 Hqcpfcbl.exe 2824 Hqcpfcbl.exe 2180 Hqemlbqi.exe 2180 Hqemlbqi.exe 2444 Hmlmacfn.exe 2444 Hmlmacfn.exe 1780 Hgbanlfc.exe 1780 Hgbanlfc.exe 1964 Hqjfgb32.exe 1964 Hqjfgb32.exe 1292 Ijbjpg32.exe 1292 Ijbjpg32.exe 1860 Ifikehii.exe 1860 Ifikehii.exe 2132 Icmlnmgb.exe 2132 Icmlnmgb.exe 2280 Iodlcnmf.exe 2280 Iodlcnmf.exe 1508 Ifndph32.exe 1508 Ifndph32.exe 1100 Igoagpja.exe 1100 Igoagpja.exe 1688 Iniidj32.exe 1688 Iniidj32.exe 2508 Ijpjik32.exe 2508 Ijpjik32.exe 1608 Jeenfd32.exe 1608 Jeenfd32.exe 2848 Jfigdl32.exe 2848 Jfigdl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hkdkhl32.exe Ghcbga32.exe File opened for modification C:\Windows\SysWOW64\Majdkifd.exe Lelmei32.exe File created C:\Windows\SysWOW64\Kniaap32.exe Jqeqhlii.exe File created C:\Windows\SysWOW64\Bkoepj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Moanpe32.exe Process not Found File created C:\Windows\SysWOW64\Lqnbffkn.exe Ljdjildq.exe File created C:\Windows\SysWOW64\Fjoghlmb.dll Nnpdbg32.exe File created C:\Windows\SysWOW64\Ijdhel32.dll Pnlpmiog.exe File created C:\Windows\SysWOW64\Idblbjen.dll Bgbqlm32.exe File created C:\Windows\SysWOW64\Bjomoo32.exe Bdbdgh32.exe File opened for modification C:\Windows\SysWOW64\Dbaflm32.exe Dldndf32.exe File created C:\Windows\SysWOW64\Fkjdkqcl.exe Fihhch32.exe File created C:\Windows\SysWOW64\Keedfp32.dll Gaffja32.exe File created C:\Windows\SysWOW64\Gfiaemdb.dll Oofbph32.exe File created C:\Windows\SysWOW64\Jkfncn32.exe Jkdanngk.exe File created C:\Windows\SysWOW64\Lddjmb32.exe Lgpjcnhh.exe File created C:\Windows\SysWOW64\Ffemlf32.dll Nqamaeii.exe File created C:\Windows\SysWOW64\Fhojbk32.dll Onejjm32.exe File created C:\Windows\SysWOW64\Ocdohdfc.exe Omjgkjof.exe File created C:\Windows\SysWOW64\Lkbphfab.exe Lfehpobj.exe File created C:\Windows\SysWOW64\Idmqai32.dll Hnhjok32.exe File created C:\Windows\SysWOW64\Nmjknb32.exe Ncafemqk.exe File created C:\Windows\SysWOW64\Hpjghg32.dll Jompim32.exe File created C:\Windows\SysWOW64\Napdpchk.exe Nppgfp32.exe File created C:\Windows\SysWOW64\Dgkike32.exe Dbnpcn32.exe File created C:\Windows\SysWOW64\Dggbeb32.exe Dbjjll32.exe File created C:\Windows\SysWOW64\Moanpe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pndoqf32.exe Process not Found File created C:\Windows\SysWOW64\Kpljhdca.dll Jggiah32.exe File created C:\Windows\SysWOW64\Fakkgpio.dll Kbllfmfc.exe File opened for modification C:\Windows\SysWOW64\Ggofcmih.exe Gjkeii32.exe File created C:\Windows\SysWOW64\Hccbnhla.exe Hhnnpolk.exe File created C:\Windows\SysWOW64\Dgoaoaha.dll Aofhcmig.exe File created C:\Windows\SysWOW64\Fgmaphdg.exe Epamlegl.exe File created C:\Windows\SysWOW64\Kjdpcnfi.exe Kehgkgha.exe File created C:\Windows\SysWOW64\Ljdgqc32.exe Ljakkd32.exe File created C:\Windows\SysWOW64\Opaeok32.exe Ogiqffhl.exe File opened for modification C:\Windows\SysWOW64\Pokkkgpo.exe Pdegnn32.exe File created C:\Windows\SysWOW64\Mcddca32.exe Mmjlfgml.exe File opened for modification C:\Windows\SysWOW64\Bpdgolml.exe Bpajjmon.exe File opened for modification C:\Windows\SysWOW64\Miciqgqn.exe Miqmkh32.exe File opened for modification C:\Windows\SysWOW64\Hhpjfoji.exe Hfanjcke.exe File created C:\Windows\SysWOW64\Fbflfomj.exe Fjkgampo.exe File opened for modification C:\Windows\SysWOW64\Eiabbicf.exe Epimjd32.exe File opened for modification C:\Windows\SysWOW64\Anlkakqa.exe Ahbcda32.exe File created C:\Windows\SysWOW64\Mfdedcim.dll Chkbjc32.exe File created C:\Windows\SysWOW64\Dldndf32.exe Dlbanfbo.exe File created C:\Windows\SysWOW64\Pemnml32.dll Pecikj32.exe File created C:\Windows\SysWOW64\Adhbkj32.exe Qjnajl32.exe File created C:\Windows\SysWOW64\Dkccjcbp.dll Ioibde32.exe File opened for modification C:\Windows\SysWOW64\Appfggjm.exe Qifnjm32.exe File created C:\Windows\SysWOW64\Epjlaj32.dll Epgabhdg.exe File opened for modification C:\Windows\SysWOW64\Dbmnla32.exe Dffmgqcp.exe File created C:\Windows\SysWOW64\Kbllfmfc.exe Khdhmg32.exe File created C:\Windows\SysWOW64\Agkjknji.exe Aejncedk.exe File created C:\Windows\SysWOW64\Mipanmej.dll Onacgf32.exe File created C:\Windows\SysWOW64\Hdkhihdn.exe Hdikch32.exe File opened for modification C:\Windows\SysWOW64\Mideho32.exe Process not Found File created C:\Windows\SysWOW64\Ajlikd32.dll Oaaklmao.exe File created C:\Windows\SysWOW64\Kaanlk32.dll Jojmigpn.exe File opened for modification C:\Windows\SysWOW64\Bfdhdj32.exe Bllcke32.exe File created C:\Windows\SysWOW64\Epegae32.exe Efmchp32.exe File created C:\Windows\SysWOW64\Gakchj32.exe Fahfcjfd.exe File created C:\Windows\SysWOW64\Ifhdlo32.exe Iidccj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3580 2912 Process not Found 1104 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciekjhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkahbkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioefjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenaoojo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdegnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbbbhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehanfgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnajl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahnjefcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iachom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lecfiahe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohnfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikmob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqoofhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccckabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknlmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqqpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhplaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojoalda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnifbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjdmggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inciaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbanfbfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkckneh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meaiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnnblmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdophn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebiefle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afngoand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjceidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceioka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhodgebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjfmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhifemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqqea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdfhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlgaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhhpeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leilnllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acoegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhqklcof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgqbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllkhoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmpicbd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfanjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnajl32.dll" Dbnpcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpjgekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaclb32.dll" Bjhgjdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boppmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceokjimn.dll" Jklbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhgcd32.dll" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anpgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgcde32.dll" Ckdlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmfmc32.dll" Iogkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihgikml.dll" Mjlgdaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpodedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbbgfcf.dll" Nihedodm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfeadne.dll" Ahomlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epamlegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkombae.dll" Hioefjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffobpfeo.dll" Bbpdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdjbcim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeecibci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diackmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhljnhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dffmgqcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npgknf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjcflkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcakg32.dll" Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjqinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqbpdle.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmdonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcaaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genklp32.dll" Cjnjhcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfndjil.dll" Dhimaill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjaejbmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkdfghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajindjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engnno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbibaaia.dll" Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnfnkmom.dll" Dffmgqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldingm32.dll" Ijfpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaihao32.dll" Gloppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbgjoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goagaded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijinaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabjgoga.dll" Aihmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbgonif.dll" Fidmniqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onognkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goelfn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peakkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnmdmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcddca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlob32.dll" Ipbcbkmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpjgekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqbeapqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmfoodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidgnc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2192 2564 383c8f7ea007e40eb7e2c93b9abd0f90N.exe 29 PID 2564 wrote to memory of 2192 2564 383c8f7ea007e40eb7e2c93b9abd0f90N.exe 29 PID 2564 wrote to memory of 2192 2564 383c8f7ea007e40eb7e2c93b9abd0f90N.exe 29 PID 2564 wrote to memory of 2192 2564 383c8f7ea007e40eb7e2c93b9abd0f90N.exe 29 PID 2192 wrote to memory of 1144 2192 Eponmmaj.exe 30 PID 2192 wrote to memory of 1144 2192 Eponmmaj.exe 30 PID 2192 wrote to memory of 1144 2192 Eponmmaj.exe 30 PID 2192 wrote to memory of 1144 2192 Eponmmaj.exe 30 PID 1144 wrote to memory of 2768 1144 Eelfedpa.exe 31 PID 1144 wrote to memory of 2768 1144 Eelfedpa.exe 31 PID 1144 wrote to memory of 2768 1144 Eelfedpa.exe 31 PID 1144 wrote to memory of 2768 1144 Eelfedpa.exe 31 PID 2768 wrote to memory of 2836 2768 Flhkhnel.exe 32 PID 2768 wrote to memory of 2836 2768 Flhkhnel.exe 32 PID 2768 wrote to memory of 2836 2768 Flhkhnel.exe 32 PID 2768 wrote to memory of 2836 2768 Flhkhnel.exe 32 PID 2836 wrote to memory of 2928 2836 Feppqc32.exe 33 PID 2836 wrote to memory of 2928 2836 Feppqc32.exe 33 PID 2836 wrote to memory of 2928 2836 Feppqc32.exe 33 PID 2836 wrote to memory of 2928 2836 Feppqc32.exe 33 PID 2928 wrote to memory of 2740 2928 Fagqed32.exe 34 PID 2928 wrote to memory of 2740 2928 Fagqed32.exe 34 PID 2928 wrote to memory of 2740 2928 Fagqed32.exe 34 PID 2928 wrote to memory of 2740 2928 Fagqed32.exe 34 PID 2740 wrote to memory of 1228 2740 Faimkd32.exe 35 PID 2740 wrote to memory of 1228 2740 Faimkd32.exe 35 PID 2740 wrote to memory of 1228 2740 Faimkd32.exe 35 PID 2740 wrote to memory of 1228 2740 Faimkd32.exe 35 PID 1228 wrote to memory of 1396 1228 Fkbadifn.exe 36 PID 1228 wrote to memory of 1396 1228 Fkbadifn.exe 36 PID 1228 wrote to memory of 1396 1228 Fkbadifn.exe 36 PID 1228 wrote to memory of 1396 1228 Fkbadifn.exe 36 PID 1396 wrote to memory of 2948 1396 Fgibijkb.exe 37 PID 1396 wrote to memory of 2948 1396 Fgibijkb.exe 37 PID 1396 wrote to memory of 2948 1396 Fgibijkb.exe 37 PID 1396 wrote to memory of 2948 1396 Fgibijkb.exe 37 PID 2948 wrote to memory of 2680 2948 Gdmcbojl.exe 38 PID 2948 wrote to memory of 2680 2948 Gdmcbojl.exe 38 PID 2948 wrote to memory of 2680 2948 Gdmcbojl.exe 38 PID 2948 wrote to memory of 2680 2948 Gdmcbojl.exe 38 PID 2680 wrote to memory of 1720 2680 Gdophn32.exe 39 PID 2680 wrote to memory of 1720 2680 Gdophn32.exe 39 PID 2680 wrote to memory of 1720 2680 Gdophn32.exe 39 PID 2680 wrote to memory of 1720 2680 Gdophn32.exe 39 PID 1720 wrote to memory of 2964 1720 Gilhpe32.exe 40 PID 1720 wrote to memory of 2964 1720 Gilhpe32.exe 40 PID 1720 wrote to memory of 2964 1720 Gilhpe32.exe 40 PID 1720 wrote to memory of 2964 1720 Gilhpe32.exe 40 PID 2964 wrote to memory of 1988 2964 Gebiefle.exe 41 PID 2964 wrote to memory of 1988 2964 Gebiefle.exe 41 PID 2964 wrote to memory of 1988 2964 Gebiefle.exe 41 PID 2964 wrote to memory of 1988 2964 Gebiefle.exe 41 PID 1988 wrote to memory of 2448 1988 Gcfioj32.exe 42 PID 1988 wrote to memory of 2448 1988 Gcfioj32.exe 42 PID 1988 wrote to memory of 2448 1988 Gcfioj32.exe 42 PID 1988 wrote to memory of 2448 1988 Gcfioj32.exe 42 PID 2448 wrote to memory of 2424 2448 Ghcbga32.exe 43 PID 2448 wrote to memory of 2424 2448 Ghcbga32.exe 43 PID 2448 wrote to memory of 2424 2448 Ghcbga32.exe 43 PID 2448 wrote to memory of 2424 2448 Ghcbga32.exe 43 PID 2424 wrote to memory of 1632 2424 Hkdkhl32.exe 44 PID 2424 wrote to memory of 1632 2424 Hkdkhl32.exe 44 PID 2424 wrote to memory of 1632 2424 Hkdkhl32.exe 44 PID 2424 wrote to memory of 1632 2424 Hkdkhl32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\383c8f7ea007e40eb7e2c93b9abd0f90N.exe"C:\Users\Admin\AppData\Local\Temp\383c8f7ea007e40eb7e2c93b9abd0f90N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Hmlmacfn.exeC:\Windows\system32\Hmlmacfn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Hqjfgb32.exeC:\Windows\system32\Hqjfgb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe34⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe36⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe37⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe39⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe40⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe41⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe42⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe45⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe46⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe47⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Lldhldpg.exeC:\Windows\system32\Lldhldpg.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe50⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe51⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Mjeholco.exeC:\Windows\system32\Mjeholco.exe52⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe53⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe54⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe56⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe57⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe58⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe59⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe60⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe61⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe62⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe64⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe66⤵PID:1680
-
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe67⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe68⤵PID:680
-
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe69⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe70⤵PID:1404
-
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe71⤵PID:2292
-
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe72⤵PID:1284
-
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe73⤵PID:2240
-
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe74⤵PID:1672
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe75⤵PID:2756
-
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe76⤵PID:2816
-
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe77⤵PID:2656
-
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe78⤵PID:2612
-
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe79⤵PID:1984
-
C:\Windows\SysWOW64\Peakkj32.exeC:\Windows\system32\Peakkj32.exe80⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe81⤵PID:1792
-
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe82⤵PID:2004
-
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe83⤵PID:1528
-
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe84⤵PID:2020
-
C:\Windows\SysWOW64\Qifnjm32.exeC:\Windows\system32\Qifnjm32.exe85⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe86⤵PID:1712
-
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe87⤵
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe88⤵PID:3056
-
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe89⤵PID:1164
-
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe90⤵PID:2232
-
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe91⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe92⤵PID:1652
-
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe94⤵PID:904
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe95⤵PID:2216
-
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe96⤵PID:1252
-
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe97⤵PID:800
-
C:\Windows\SysWOW64\Bhfjgh32.exeC:\Windows\system32\Bhfjgh32.exe98⤵PID:1536
-
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe99⤵PID:2396
-
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe100⤵PID:1812
-
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe101⤵PID:624
-
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe102⤵PID:1668
-
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe103⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Bdbdgh32.exeC:\Windows\system32\Bdbdgh32.exe104⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Bjomoo32.exeC:\Windows\system32\Bjomoo32.exe105⤵PID:1600
-
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe106⤵PID:3004
-
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe107⤵PID:2892
-
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe108⤵PID:1012
-
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe109⤵PID:2804
-
C:\Windows\SysWOW64\Cdmgkl32.exeC:\Windows\system32\Cdmgkl32.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe112⤵PID:2524
-
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe113⤵
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe114⤵PID:2316
-
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe115⤵PID:3068
-
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe116⤵PID:1856
-
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe117⤵PID:2720
-
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe119⤵PID:1716
-
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe120⤵PID:2728
-
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-