Analysis
-
max time kernel
53s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 10:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1bc27329f93d7543613c1cc1045403f0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1bc27329f93d7543613c1cc1045403f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1bc27329f93d7543613c1cc1045403f0N.exe
-
Size
256KB
-
MD5
1bc27329f93d7543613c1cc1045403f0
-
SHA1
c3568ec6cb23000cfb9cdc3e294241e8a058de03
-
SHA256
6cd689367e1fc43bd820ade12e9153ed26ad293c67e759574c91f90c578ff931
-
SHA512
c6bbdf4b9c7b656aef44aba29a23152e0cb18dd02b94f53a73a117ecb19145fae855cb355c4df7ebc8ec2726b19bd1141c6fe70c5343b022e515fff778c36e56
-
SSDEEP
6144:TcC+UEstRLti4rQD85k/hQO+zrWnAdqjeOpKfduBU:FEsfLdrQg5W/+zrWAI5KFuU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhngem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebdndlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfggicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalmcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcqcoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadlgjjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbccnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nffcebdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadoiccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdpngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceioieei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmffhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bphmfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnipgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opqdcgib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adbmjbif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkghjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpmeojbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancdgcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cngfqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogene32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgobpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgehpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbkolmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiaaaicm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhobgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfadoaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpaidpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgqeea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npkaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbamc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mglpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okailkhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phmiimlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjhgdqef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmiaknb.exe -
Executes dropped EXE 64 IoCs
pid Process 2604 Jgpbfh32.exe 2192 Jaffca32.exe 2872 Kjakhcne.exe 2788 Kgelahmn.exe 2792 Knodnb32.exe 2684 Kfjibdbf.exe 2388 Knaqcabh.exe 1648 Khkadoog.exe 2560 Kpbiempj.exe 1644 Lfaocc32.exe 2316 Llkgpmck.exe 2444 Lgehpk32.exe 524 Lolpah32.exe 2892 Lgiakjld.exe 1748 Lmfjcajl.exe 1448 Mmifiahi.exe 2880 Mmkcoq32.exe 796 Mpipkl32.exe 1944 Mjodhe32.exe 1248 Mffdmfjd.exe 2544 Mmpmjpba.exe 2036 Mfhabe32.exe 1444 Mginjnnp.exe 1200 Mbobgfnf.exe 2952 Niijdq32.exe 2084 Nnfbmgcj.exe 2828 Nadoiccn.exe 2656 Nhngem32.exe 592 Nnhobgag.exe 2064 Nmmlccfp.exe 2396 Ndgdpn32.exe 3000 Njammhei.exe 2976 Nmpiicdm.exe 1252 Ndiaem32.exe 1132 Nblaajbd.exe 1660 Nifjnd32.exe 2596 Nlefjpid.exe 1220 Oppbjn32.exe 1984 Ofjjghik.exe 1528 Omdbdb32.exe 1324 Ooeolkff.exe 1896 Oepghe32.exe 2312 Ohncdp32.exe 952 Oohlaj32.exe 2592 Obcgaill.exe 2616 Oebdndlp.exe 448 Ohppjpkc.exe 2968 Okolfkjg.exe 2680 Oahdce32.exe 2724 Oedqcdim.exe 2424 Olnipn32.exe 944 Okailkhd.exe 2572 Omoehf32.exe 3024 Oefmid32.exe 3040 Oheieo32.exe 2884 Pkcfak32.exe 1796 Pmabmf32.exe 2632 Pdljjplb.exe 832 Phgfko32.exe 1224 Pihbbgjj.exe 2184 Pmdocf32.exe 984 Ppbkoabf.exe 1264 Pdngpp32.exe 1472 Pglclk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1432 1bc27329f93d7543613c1cc1045403f0N.exe 1432 1bc27329f93d7543613c1cc1045403f0N.exe 2604 Jgpbfh32.exe 2604 Jgpbfh32.exe 2192 Jaffca32.exe 2192 Jaffca32.exe 2872 Kjakhcne.exe 2872 Kjakhcne.exe 2788 Kgelahmn.exe 2788 Kgelahmn.exe 2792 Knodnb32.exe 2792 Knodnb32.exe 2684 Kfjibdbf.exe 2684 Kfjibdbf.exe 2388 Knaqcabh.exe 2388 Knaqcabh.exe 1648 Khkadoog.exe 1648 Khkadoog.exe 2560 Kpbiempj.exe 2560 Kpbiempj.exe 1644 Lfaocc32.exe 1644 Lfaocc32.exe 2316 Llkgpmck.exe 2316 Llkgpmck.exe 2444 Lgehpk32.exe 2444 Lgehpk32.exe 524 Lolpah32.exe 524 Lolpah32.exe 2892 Lgiakjld.exe 2892 Lgiakjld.exe 1748 Lmfjcajl.exe 1748 Lmfjcajl.exe 1448 Mmifiahi.exe 1448 Mmifiahi.exe 2880 Mmkcoq32.exe 2880 Mmkcoq32.exe 796 Mpipkl32.exe 796 Mpipkl32.exe 1944 Mjodhe32.exe 1944 Mjodhe32.exe 1248 Mffdmfjd.exe 1248 Mffdmfjd.exe 2544 Mmpmjpba.exe 2544 Mmpmjpba.exe 2036 Mfhabe32.exe 2036 Mfhabe32.exe 1444 Mginjnnp.exe 1444 Mginjnnp.exe 1200 Mbobgfnf.exe 1200 Mbobgfnf.exe 2952 Niijdq32.exe 2952 Niijdq32.exe 2084 Nnfbmgcj.exe 2084 Nnfbmgcj.exe 2828 Nadoiccn.exe 2828 Nadoiccn.exe 2656 Nhngem32.exe 2656 Nhngem32.exe 592 Nnhobgag.exe 592 Nnhobgag.exe 2064 Nmmlccfp.exe 2064 Nmmlccfp.exe 2396 Ndgdpn32.exe 2396 Ndgdpn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehlmnfeo.exe Eiimci32.exe File opened for modification C:\Windows\SysWOW64\Pfgcff32.exe Pbkgegad.exe File opened for modification C:\Windows\SysWOW64\Pbnckg32.exe Ppogok32.exe File created C:\Windows\SysWOW64\Lkkckdhm.exe Kcdljghj.exe File created C:\Windows\SysWOW64\Ecdofe32.dll Bdoeipjh.exe File created C:\Windows\SysWOW64\Dlifcqfl.exe Dmffhd32.exe File opened for modification C:\Windows\SysWOW64\Ekblplgo.exe Ehdpcahk.exe File created C:\Windows\SysWOW64\Gacgli32.exe Goekpm32.exe File opened for modification C:\Windows\SysWOW64\Hjcajn32.exe Hgeenb32.exe File created C:\Windows\SysWOW64\Gohnpcmd.exe Gmjbchnq.exe File created C:\Windows\SysWOW64\Lfhednad.dll Higiih32.exe File created C:\Windows\SysWOW64\Onmpcohl.dll Cemebcnf.exe File created C:\Windows\SysWOW64\Ojjalodg.dll Pmdocf32.exe File opened for modification C:\Windows\SysWOW64\Cjkamk32.exe Cbcikn32.exe File opened for modification C:\Windows\SysWOW64\Moflkfca.exe Mgodjico.exe File created C:\Windows\SysWOW64\Ofbikf32.exe Oddmokoo.exe File created C:\Windows\SysWOW64\Ilhnjfmi.exe Iijbnkne.exe File created C:\Windows\SysWOW64\Lgehpk32.exe Llkgpmck.exe File opened for modification C:\Windows\SysWOW64\Mginjnnp.exe Mfhabe32.exe File opened for modification C:\Windows\SysWOW64\Phgfko32.exe Pdljjplb.exe File created C:\Windows\SysWOW64\Ppbkoabf.exe Pmdocf32.exe File created C:\Windows\SysWOW64\Fdjddf32.exe Fnplgl32.exe File created C:\Windows\SysWOW64\Ldamppgp.dll Kabobo32.exe File created C:\Windows\SysWOW64\Lbnbfb32.exe Lpmeojbo.exe File opened for modification C:\Windows\SysWOW64\Mhlcnl32.exe Mdahnmck.exe File created C:\Windows\SysWOW64\Cqkiai32.dll Kidjfl32.exe File opened for modification C:\Windows\SysWOW64\Mdigakic.exe Mbkkepio.exe File opened for modification C:\Windows\SysWOW64\Ooeolkff.exe Omdbdb32.exe File created C:\Windows\SysWOW64\Bjnhce32.dll Ilhnjfmi.exe File created C:\Windows\SysWOW64\Eipnnj32.dll Ldikbhfh.exe File created C:\Windows\SysWOW64\Fifjgemj.dll Oepianef.exe File opened for modification C:\Windows\SysWOW64\Edidcb32.exe Eajhgg32.exe File created C:\Windows\SysWOW64\Hjincg32.dll Jocceo32.exe File created C:\Windows\SysWOW64\Dkhpfo32.exe Dhjdjc32.exe File created C:\Windows\SysWOW64\Pahjgb32.exe Pmlngdhk.exe File created C:\Windows\SysWOW64\Aodqok32.exe Apapcnaf.exe File opened for modification C:\Windows\SysWOW64\Bcdbjl32.exe Bqffna32.exe File created C:\Windows\SysWOW64\Mcoinndc.dll Dfegjknm.exe File created C:\Windows\SysWOW64\Ejkdfong.dll Lccepqdo.exe File opened for modification C:\Windows\SysWOW64\Lamkllea.exe Lkccob32.exe File created C:\Windows\SysWOW64\Pgamgken.exe Pceqfl32.exe File created C:\Windows\SysWOW64\Dpjfjalp.exe Dlnjjc32.exe File created C:\Windows\SysWOW64\Fopilf32.dll Ljpqlqmd.exe File opened for modification C:\Windows\SysWOW64\Mcknjidn.exe Mmafmo32.exe File created C:\Windows\SysWOW64\Cngjeack.dll Bcgoolln.exe File created C:\Windows\SysWOW64\Bpmginio.dll Fhccoe32.exe File opened for modification C:\Windows\SysWOW64\Oacdmpan.exe Onehadbj.exe File created C:\Windows\SysWOW64\Pkjpacdo.dll Jlhjijpe.exe File opened for modification C:\Windows\SysWOW64\Ohkpdj32.exe Oelcho32.exe File created C:\Windows\SysWOW64\Aeijelle.dll Fcbjon32.exe File created C:\Windows\SysWOW64\Ejjglk32.dll Ggppdpif.exe File created C:\Windows\SysWOW64\Phgfko32.exe Pdljjplb.exe File created C:\Windows\SysWOW64\Dlfobc32.dll Hfbckagm.exe File opened for modification C:\Windows\SysWOW64\Gocnjn32.exe Gkgbioee.exe File created C:\Windows\SysWOW64\Ofmhcg32.dll Jmkmlk32.exe File created C:\Windows\SysWOW64\Qicoleno.exe Pdffcn32.exe File created C:\Windows\SysWOW64\Mbmgkp32.exe Mkconepp.exe File opened for modification C:\Windows\SysWOW64\Cnogmk32.exe Cgeopqfp.exe File created C:\Windows\SysWOW64\Mckahlgg.dll Gohnpcmd.exe File created C:\Windows\SysWOW64\Cgghbgfc.dll Heqfdh32.exe File created C:\Windows\SysWOW64\Eifodbcn.dll Ahmehqna.exe File created C:\Windows\SysWOW64\Ghmohcbl.exe Gpfggeai.exe File created C:\Windows\SysWOW64\Agboqe32.dll Ieqbbl32.exe File opened for modification C:\Windows\SysWOW64\Nnkekfkd.exe Npieoi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7596 7508 WerFault.exe 782 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkadoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljfdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijbnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mliibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpiicdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilceog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kloqiijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbqekhmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkgpmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnobl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peaibajp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmahpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjikadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjmfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pogaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpiombe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepghe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmopge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekeiel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdbfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkndiabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkomepon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njobpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmifiahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkcoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcankb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjnbmlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifiilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdkhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqopmbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkbqcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajghgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhohapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkheap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmmanif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdjdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbccnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipecndab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmbjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedllgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfjpemb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldepenep.dll" Kkfjpemb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjieapck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lodoefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeijelle.dll" Fcbjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfimpl32.dll" Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgdlpkc.dll" Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhjjiab.dll" Gnphfppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnpbgbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeedad32.dll" Dendcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eocieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odaqikaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gafcahil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boqgep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kejahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppogok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjbdlma.dll" Cnjbfhqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll" Nplkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbocnbmi.dll" Lmfjcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhghabh.dll" Helmiiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgeenb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjplmhdo.dll" Qajfmbna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehpgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnefm32.dll" Pihlhagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndkcnjj.dll" Gcankb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddnaonia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mekjoc32.dll" Mfhabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkgpdidf.dll" Fqqdigko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpjieck.dll" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deacbgdc.dll" Ckdpinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehiiop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emfbgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqkmahpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liobklpa.dll" Njammhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghpdqdc.dll" Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkghjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgoakpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eagbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omdbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpicfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhgifal.dll" Dhekodik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ococgpfb.dll" Eahkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgldnpb.dll" Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njmejaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkcoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abdpngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngafdepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll" Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqopmbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhphg32.dll" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iabcbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncance32.dll" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgofok32.dll" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knbjgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfncad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alhaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiocbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1432 wrote to memory of 2604 1432 1bc27329f93d7543613c1cc1045403f0N.exe 30 PID 1432 wrote to memory of 2604 1432 1bc27329f93d7543613c1cc1045403f0N.exe 30 PID 1432 wrote to memory of 2604 1432 1bc27329f93d7543613c1cc1045403f0N.exe 30 PID 1432 wrote to memory of 2604 1432 1bc27329f93d7543613c1cc1045403f0N.exe 30 PID 2604 wrote to memory of 2192 2604 Jgpbfh32.exe 31 PID 2604 wrote to memory of 2192 2604 Jgpbfh32.exe 31 PID 2604 wrote to memory of 2192 2604 Jgpbfh32.exe 31 PID 2604 wrote to memory of 2192 2604 Jgpbfh32.exe 31 PID 2192 wrote to memory of 2872 2192 Jaffca32.exe 32 PID 2192 wrote to memory of 2872 2192 Jaffca32.exe 32 PID 2192 wrote to memory of 2872 2192 Jaffca32.exe 32 PID 2192 wrote to memory of 2872 2192 Jaffca32.exe 32 PID 2872 wrote to memory of 2788 2872 Kjakhcne.exe 33 PID 2872 wrote to memory of 2788 2872 Kjakhcne.exe 33 PID 2872 wrote to memory of 2788 2872 Kjakhcne.exe 33 PID 2872 wrote to memory of 2788 2872 Kjakhcne.exe 33 PID 2788 wrote to memory of 2792 2788 Kgelahmn.exe 34 PID 2788 wrote to memory of 2792 2788 Kgelahmn.exe 34 PID 2788 wrote to memory of 2792 2788 Kgelahmn.exe 34 PID 2788 wrote to memory of 2792 2788 Kgelahmn.exe 34 PID 2792 wrote to memory of 2684 2792 Knodnb32.exe 35 PID 2792 wrote to memory of 2684 2792 Knodnb32.exe 35 PID 2792 wrote to memory of 2684 2792 Knodnb32.exe 35 PID 2792 wrote to memory of 2684 2792 Knodnb32.exe 35 PID 2684 wrote to memory of 2388 2684 Kfjibdbf.exe 36 PID 2684 wrote to memory of 2388 2684 Kfjibdbf.exe 36 PID 2684 wrote to memory of 2388 2684 Kfjibdbf.exe 36 PID 2684 wrote to memory of 2388 2684 Kfjibdbf.exe 36 PID 2388 wrote to memory of 1648 2388 Knaqcabh.exe 37 PID 2388 wrote to memory of 1648 2388 Knaqcabh.exe 37 PID 2388 wrote to memory of 1648 2388 Knaqcabh.exe 37 PID 2388 wrote to memory of 1648 2388 Knaqcabh.exe 37 PID 1648 wrote to memory of 2560 1648 Khkadoog.exe 38 PID 1648 wrote to memory of 2560 1648 Khkadoog.exe 38 PID 1648 wrote to memory of 2560 1648 Khkadoog.exe 38 PID 1648 wrote to memory of 2560 1648 Khkadoog.exe 38 PID 2560 wrote to memory of 1644 2560 Kpbiempj.exe 39 PID 2560 wrote to memory of 1644 2560 Kpbiempj.exe 39 PID 2560 wrote to memory of 1644 2560 Kpbiempj.exe 39 PID 2560 wrote to memory of 1644 2560 Kpbiempj.exe 39 PID 1644 wrote to memory of 2316 1644 Lfaocc32.exe 40 PID 1644 wrote to memory of 2316 1644 Lfaocc32.exe 40 PID 1644 wrote to memory of 2316 1644 Lfaocc32.exe 40 PID 1644 wrote to memory of 2316 1644 Lfaocc32.exe 40 PID 2316 wrote to memory of 2444 2316 Llkgpmck.exe 41 PID 2316 wrote to memory of 2444 2316 Llkgpmck.exe 41 PID 2316 wrote to memory of 2444 2316 Llkgpmck.exe 41 PID 2316 wrote to memory of 2444 2316 Llkgpmck.exe 41 PID 2444 wrote to memory of 524 2444 Lgehpk32.exe 42 PID 2444 wrote to memory of 524 2444 Lgehpk32.exe 42 PID 2444 wrote to memory of 524 2444 Lgehpk32.exe 42 PID 2444 wrote to memory of 524 2444 Lgehpk32.exe 42 PID 524 wrote to memory of 2892 524 Lolpah32.exe 43 PID 524 wrote to memory of 2892 524 Lolpah32.exe 43 PID 524 wrote to memory of 2892 524 Lolpah32.exe 43 PID 524 wrote to memory of 2892 524 Lolpah32.exe 43 PID 2892 wrote to memory of 1748 2892 Lgiakjld.exe 44 PID 2892 wrote to memory of 1748 2892 Lgiakjld.exe 44 PID 2892 wrote to memory of 1748 2892 Lgiakjld.exe 44 PID 2892 wrote to memory of 1748 2892 Lgiakjld.exe 44 PID 1748 wrote to memory of 1448 1748 Lmfjcajl.exe 45 PID 1748 wrote to memory of 1448 1748 Lmfjcajl.exe 45 PID 1748 wrote to memory of 1448 1748 Lmfjcajl.exe 45 PID 1748 wrote to memory of 1448 1748 Lmfjcajl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc27329f93d7543613c1cc1045403f0N.exe"C:\Users\Admin\AppData\Local\Temp\1bc27329f93d7543613c1cc1045403f0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Jaffca32.exeC:\Windows\system32\Jaffca32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Mginjnnp.exeC:\Windows\system32\Mginjnnp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe35⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe36⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe37⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe38⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe39⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe40⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe42⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe44⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe45⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe46⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe48⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe49⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe50⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe51⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe55⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe56⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe57⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe58⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe60⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe61⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe63⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Pdngpp32.exeC:\Windows\system32\Pdngpp32.exe64⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe65⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe66⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe68⤵PID:2936
-
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe69⤵PID:2700
-
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe70⤵PID:2840
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe71⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe72⤵PID:1588
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe73⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe74⤵PID:2028
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe75⤵PID:2112
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe76⤵PID:632
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe77⤵PID:2152
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe78⤵PID:2156
-
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe79⤵PID:476
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe80⤵PID:2916
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe81⤵PID:1060
-
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe82⤵PID:2240
-
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe83⤵PID:1552
-
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe84⤵PID:2744
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe85⤵PID:2808
-
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe86⤵PID:2944
-
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe88⤵PID:1076
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe89⤵PID:2400
-
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe90⤵PID:3044
-
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe92⤵PID:3012
-
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe94⤵PID:624
-
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe95⤵PID:2024
-
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe96⤵PID:1008
-
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe97⤵PID:2452
-
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe99⤵PID:2856
-
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe100⤵PID:2708
-
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe101⤵PID:2896
-
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe102⤵PID:1728
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe103⤵PID:3068
-
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe104⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe105⤵PID:2628
-
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe106⤵PID:1344
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe108⤵PID:1836
-
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe109⤵PID:1336
-
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe110⤵PID:2392
-
C:\Windows\SysWOW64\Bbdmljln.exeC:\Windows\system32\Bbdmljln.exe111⤵PID:2660
-
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe112⤵PID:2672
-
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Bphmfo32.exeC:\Windows\system32\Bphmfo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe115⤵PID:3056
-
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe116⤵PID:2000
-
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe117⤵PID:1128
-
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe118⤵PID:548
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe119⤵PID:2272
-
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe120⤵PID:1500
-
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe121⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-