Analysis
-
max time kernel
106s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 23:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d83c60753fe252b5dd7f76347d33e5f0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d83c60753fe252b5dd7f76347d33e5f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d83c60753fe252b5dd7f76347d33e5f0N.exe
-
Size
483KB
-
MD5
d83c60753fe252b5dd7f76347d33e5f0
-
SHA1
6098166e11be76eaf96e312441c924d81a69f445
-
SHA256
c8ffaec07f7f8938e4ee076fe6027e0a75c124246c3ad4b3952405c8dc4930ce
-
SHA512
98f5dbcb08f33b5b0708ab37f520cc3bbcce32c566f636523c392fbd1fb86358cc921826147f158fbf0b599ac39a7c94ef16b37d84e78d2b4ee63c1fb5913c65
-
SSDEEP
6144:YrFDWG9KtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpL1/:UFDWjtY5vARM0RM/3ARMSG0dhvARMoHG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgqcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfebdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakhkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okijhmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdadadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbpahan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d83c60753fe252b5dd7f76347d33e5f0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckflc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngqeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cedpdpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapjdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajhpgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkebolm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqifajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noagjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honiikpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Honiikpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noepdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmpebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmecbkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciepkajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnflnfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhaooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miaaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmnga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geinjapb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagjqbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebnigmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjddaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdciiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elndpnnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffghjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijfoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe -
Executes dropped EXE 64 IoCs
pid Process 908 Mpikik32.exe 2760 Maldfbjn.exe 2104 Naegmabc.exe 2768 Nggipg32.exe 3004 Njhbabif.exe 1192 Pflbpg32.exe 1632 Ppgcol32.exe 2932 Qblfkgqb.exe 564 Qbobaf32.exe 3020 Ablbjj32.exe 2356 Abnopj32.exe 604 Bdfahaaa.exe 1476 Cncolfcl.exe 1728 Dbmkfh32.exe 2140 Ddbmcb32.exe 2168 Epqgopbi.exe 1308 Ecnpdnho.exe 2888 Fbhfajia.exe 1532 Fnogfk32.exe 1376 Fdnlcakk.exe 1948 Fmfalg32.exe 2376 Gfabkl32.exe 2392 Golgon32.exe 1016 Goocenaa.exe 2380 Gkhaooec.exe 1604 Hipkfkgh.exe 2732 Hchoop32.exe 2924 Hjddaj32.exe 2584 Iocioq32.exe 2500 Ioefdpne.exe 2136 Idekbgji.exe 1656 Ihbdhepp.exe 2144 Jqpebg32.exe 1920 Jqbbhg32.exe 2132 Jibpghbk.exe 548 Kffqqm32.exe 1048 Kkefoc32.exe 1180 Klhbdclg.exe 1280 Lhapocoi.exe 1692 Lbmnea32.exe 1484 Lpanne32.exe 2244 Mbdcepcm.exe 616 Mhcicf32.exe 360 Mpqjmh32.exe 784 Mmdkfmjc.exe 1528 Nmggllha.exe 2100 Nphpng32.exe 1560 Nloachkf.exe 2236 Nhebhipj.exe 2720 Ogmkne32.exe 2796 Oabplobe.exe 2524 Oqgmmk32.exe 2448 Onkmfofg.exe 2428 Oqlfhjch.exe 924 Pigklmqc.exe 2456 Pmecbkgj.exe 2028 Pfnhkq32.exe 1496 Pkjqcg32.exe 2080 Pecelm32.exe 2040 Pkojoghl.exe 932 Qjdgpcmd.exe 1040 Qpaohjkk.exe 2892 Apclnj32.exe 1536 Amglgn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2656 d83c60753fe252b5dd7f76347d33e5f0N.exe 2656 d83c60753fe252b5dd7f76347d33e5f0N.exe 908 Mpikik32.exe 908 Mpikik32.exe 2760 Maldfbjn.exe 2760 Maldfbjn.exe 2104 Naegmabc.exe 2104 Naegmabc.exe 2768 Nggipg32.exe 2768 Nggipg32.exe 3004 Njhbabif.exe 3004 Njhbabif.exe 1192 Pflbpg32.exe 1192 Pflbpg32.exe 1632 Ppgcol32.exe 1632 Ppgcol32.exe 2932 Qblfkgqb.exe 2932 Qblfkgqb.exe 564 Qbobaf32.exe 564 Qbobaf32.exe 3020 Ablbjj32.exe 3020 Ablbjj32.exe 2356 Abnopj32.exe 2356 Abnopj32.exe 604 Bdfahaaa.exe 604 Bdfahaaa.exe 1476 Cncolfcl.exe 1476 Cncolfcl.exe 1728 Dbmkfh32.exe 1728 Dbmkfh32.exe 2140 Ddbmcb32.exe 2140 Ddbmcb32.exe 2168 Epqgopbi.exe 2168 Epqgopbi.exe 1308 Ecnpdnho.exe 1308 Ecnpdnho.exe 2888 Fbhfajia.exe 2888 Fbhfajia.exe 1532 Fnogfk32.exe 1532 Fnogfk32.exe 1376 Fdnlcakk.exe 1376 Fdnlcakk.exe 1948 Fmfalg32.exe 1948 Fmfalg32.exe 2376 Gfabkl32.exe 2376 Gfabkl32.exe 2392 Golgon32.exe 2392 Golgon32.exe 1016 Goocenaa.exe 1016 Goocenaa.exe 2380 Gkhaooec.exe 2380 Gkhaooec.exe 1604 Hipkfkgh.exe 1604 Hipkfkgh.exe 2732 Hchoop32.exe 2732 Hchoop32.exe 2924 Hjddaj32.exe 2924 Hjddaj32.exe 2584 Iocioq32.exe 2584 Iocioq32.exe 2500 Ioefdpne.exe 2500 Ioefdpne.exe 2136 Idekbgji.exe 2136 Idekbgji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Goocenaa.exe Golgon32.exe File created C:\Windows\SysWOW64\Oqgmmk32.exe Oabplobe.exe File opened for modification C:\Windows\SysWOW64\Bpjnmlel.exe Bbfnchfb.exe File created C:\Windows\SysWOW64\Ekkcanhb.dll Kjhopjqi.exe File created C:\Windows\SysWOW64\Jhnlnf32.dll Lajmkhai.exe File created C:\Windows\SysWOW64\Bikfklni.exe Biiiempl.exe File opened for modification C:\Windows\SysWOW64\Cpejfjha.exe Ckhbnb32.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe Nphpng32.exe File opened for modification C:\Windows\SysWOW64\Bkkioeig.exe Bacefpbg.exe File created C:\Windows\SysWOW64\Pmnonj32.dll Cagjqbam.exe File opened for modification C:\Windows\SysWOW64\Lpddgd32.exe Lcncbc32.exe File created C:\Windows\SysWOW64\Dfbjll32.dll Effhic32.exe File opened for modification C:\Windows\SysWOW64\Kkhdml32.exe Kdlpkb32.exe File opened for modification C:\Windows\SysWOW64\Mpikik32.exe d83c60753fe252b5dd7f76347d33e5f0N.exe File opened for modification C:\Windows\SysWOW64\Iocioq32.exe Hjddaj32.exe File created C:\Windows\SysWOW64\Ciepkajj.exe Bpmkbl32.exe File created C:\Windows\SysWOW64\Gabmfl32.dll Dhleaq32.exe File created C:\Windows\SysWOW64\Olbfgj32.dll Hndoifdp.exe File created C:\Windows\SysWOW64\Omefae32.dll Mpalfabn.exe File opened for modification C:\Windows\SysWOW64\Cncolfcl.exe Bdfahaaa.exe File opened for modification C:\Windows\SysWOW64\Fmfalg32.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Dhkqcl32.dll Pkjqcg32.exe File created C:\Windows\SysWOW64\Hgcmgfgc.dll Fppmcmah.exe File created C:\Windows\SysWOW64\Agacff32.dll Poibmdmh.exe File opened for modification C:\Windows\SysWOW64\Ablbjj32.exe Qbobaf32.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fdnlcakk.exe File opened for modification C:\Windows\SysWOW64\Lbmnea32.exe Lhapocoi.exe File created C:\Windows\SysWOW64\Lpanne32.exe Lbmnea32.exe File created C:\Windows\SysWOW64\Mpqjmh32.exe Mhcicf32.exe File created C:\Windows\SysWOW64\Heobhfnp.dll Oqlfhjch.exe File created C:\Windows\SysWOW64\Nejfepch.dll Iijfoh32.exe File created C:\Windows\SysWOW64\Boghbgla.dll Nokcbm32.exe File created C:\Windows\SysWOW64\Igbqdlea.exe Iecdji32.exe File created C:\Windows\SysWOW64\Lckflc32.exe Ljcbcngi.exe File created C:\Windows\SysWOW64\Nbbegl32.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Pohoplja.dll Amglgn32.exe File created C:\Windows\SysWOW64\Pgcacc32.dll Miaaki32.exe File created C:\Windows\SysWOW64\Dpgdad32.dll Jcdmbk32.exe File created C:\Windows\SysWOW64\Bgjond32.dll Dbmkfh32.exe File opened for modification C:\Windows\SysWOW64\Kffqqm32.exe Jibpghbk.exe File created C:\Windows\SysWOW64\Dfpfke32.exe Dhleaq32.exe File opened for modification C:\Windows\SysWOW64\Gdflgo32.exe Gjngoj32.exe File created C:\Windows\SysWOW64\Ckhbnb32.exe Ckfeic32.exe File opened for modification C:\Windows\SysWOW64\Bdfahaaa.exe Abnopj32.exe File created C:\Windows\SysWOW64\Kkefoc32.exe Kffqqm32.exe File opened for modification C:\Windows\SysWOW64\Ajcldpkd.exe Aakhkj32.exe File created C:\Windows\SysWOW64\Lkjlbg32.dll Kfdfdf32.exe File created C:\Windows\SysWOW64\Kkhdml32.exe Kdlpkb32.exe File opened for modification C:\Windows\SysWOW64\Mjddnjdf.exe Mjbghkfi.exe File created C:\Windows\SysWOW64\Kkaolm32.exe Kfdfdf32.exe File opened for modification C:\Windows\SysWOW64\Dfpfke32.exe Dhleaq32.exe File created C:\Windows\SysWOW64\Dfbbpd32.exe Dfpfke32.exe File created C:\Windows\SysWOW64\Pmidlkkk.dll Fjqhef32.exe File opened for modification C:\Windows\SysWOW64\Jqhdfe32.exe Jdadadkl.exe File opened for modification C:\Windows\SysWOW64\Kfgjdlme.exe Jqhdfe32.exe File created C:\Windows\SysWOW64\Bbiboe32.dll Eqnillbb.exe File created C:\Windows\SysWOW64\Iainddpg.exe Imkeneja.exe File created C:\Windows\SysWOW64\Hbhagiem.exe Hmkiobge.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Njhbabif.exe File opened for modification C:\Windows\SysWOW64\Gkhaooec.exe Goocenaa.exe File created C:\Windows\SysWOW64\Pkjqcg32.exe Pfnhkq32.exe File opened for modification C:\Windows\SysWOW64\Apclnj32.exe Qpaohjkk.exe File created C:\Windows\SysWOW64\Hdnjobjf.dll Dkeahf32.exe File created C:\Windows\SysWOW64\Ejdaoa32.exe Effhic32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3496 3452 WerFault.exe 268 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmcfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkelme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjffbhnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppmcmah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnlcakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqpebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejglo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilgfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheofahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgpff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiiempl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafkookd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaddid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdmbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjdgpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddobpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elndpnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmpebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeoedjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgbcofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojfnakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigklmqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpaohjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldcagaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipqpplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neghdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjddaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqnillbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldfbjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmggllha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpfke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikfklni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgcol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnogfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgdij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkepnalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjddnjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikgda32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegibbeb.dll" Oqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdflgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpnjeha.dll" Honiikpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphklnhn.dll" Imcfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dadcppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnlcakk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjgqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifakkod.dll" Dkcebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdldhfli.dll" Hilgfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khffjg32.dll" Qkelme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcigjjli.dll" Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlecmb32.dll" Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogllmge.dll" Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfeoj32.dll" Hahljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkkhmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkpck32.dll" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flffpf32.dll" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpodgocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cignhbcn.dll" Fmlglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll" Miaaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oojfnakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbpahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoied32.dll" Ablbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbqhkfi.dll" Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qblfkgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedehamj.dll" Qbobaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcnpfgn.dll" Ghmnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdadadkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kckjmpko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 d83c60753fe252b5dd7f76347d33e5f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgcol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgpff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfgdij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfhi32.dll" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heobhfnp.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnqkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomfmm32.dll" Oajopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejohemh.dll" Akjfhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aempha32.dll" Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqodfpah.dll" Ihbdhepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhagiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcmo32.dll" Ihjcko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbcgnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmeagdlp.dll" Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jglgoc32.dll" Bhbpahan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qidckjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikfklni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnbkodci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnonj32.dll" Cagjqbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmmbaal.dll" Pfnhkq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 908 2656 d83c60753fe252b5dd7f76347d33e5f0N.exe 30 PID 2656 wrote to memory of 908 2656 d83c60753fe252b5dd7f76347d33e5f0N.exe 30 PID 2656 wrote to memory of 908 2656 d83c60753fe252b5dd7f76347d33e5f0N.exe 30 PID 2656 wrote to memory of 908 2656 d83c60753fe252b5dd7f76347d33e5f0N.exe 30 PID 908 wrote to memory of 2760 908 Mpikik32.exe 31 PID 908 wrote to memory of 2760 908 Mpikik32.exe 31 PID 908 wrote to memory of 2760 908 Mpikik32.exe 31 PID 908 wrote to memory of 2760 908 Mpikik32.exe 31 PID 2760 wrote to memory of 2104 2760 Maldfbjn.exe 32 PID 2760 wrote to memory of 2104 2760 Maldfbjn.exe 32 PID 2760 wrote to memory of 2104 2760 Maldfbjn.exe 32 PID 2760 wrote to memory of 2104 2760 Maldfbjn.exe 32 PID 2104 wrote to memory of 2768 2104 Naegmabc.exe 33 PID 2104 wrote to memory of 2768 2104 Naegmabc.exe 33 PID 2104 wrote to memory of 2768 2104 Naegmabc.exe 33 PID 2104 wrote to memory of 2768 2104 Naegmabc.exe 33 PID 2768 wrote to memory of 3004 2768 Nggipg32.exe 34 PID 2768 wrote to memory of 3004 2768 Nggipg32.exe 34 PID 2768 wrote to memory of 3004 2768 Nggipg32.exe 34 PID 2768 wrote to memory of 3004 2768 Nggipg32.exe 34 PID 3004 wrote to memory of 1192 3004 Njhbabif.exe 35 PID 3004 wrote to memory of 1192 3004 Njhbabif.exe 35 PID 3004 wrote to memory of 1192 3004 Njhbabif.exe 35 PID 3004 wrote to memory of 1192 3004 Njhbabif.exe 35 PID 1192 wrote to memory of 1632 1192 Pflbpg32.exe 36 PID 1192 wrote to memory of 1632 1192 Pflbpg32.exe 36 PID 1192 wrote to memory of 1632 1192 Pflbpg32.exe 36 PID 1192 wrote to memory of 1632 1192 Pflbpg32.exe 36 PID 1632 wrote to memory of 2932 1632 Ppgcol32.exe 37 PID 1632 wrote to memory of 2932 1632 Ppgcol32.exe 37 PID 1632 wrote to memory of 2932 1632 Ppgcol32.exe 37 PID 1632 wrote to memory of 2932 1632 Ppgcol32.exe 37 PID 2932 wrote to memory of 564 2932 Qblfkgqb.exe 38 PID 2932 wrote to memory of 564 2932 Qblfkgqb.exe 38 PID 2932 wrote to memory of 564 2932 Qblfkgqb.exe 38 PID 2932 wrote to memory of 564 2932 Qblfkgqb.exe 38 PID 564 wrote to memory of 3020 564 Qbobaf32.exe 39 PID 564 wrote to memory of 3020 564 Qbobaf32.exe 39 PID 564 wrote to memory of 3020 564 Qbobaf32.exe 39 PID 564 wrote to memory of 3020 564 Qbobaf32.exe 39 PID 3020 wrote to memory of 2356 3020 Ablbjj32.exe 40 PID 3020 wrote to memory of 2356 3020 Ablbjj32.exe 40 PID 3020 wrote to memory of 2356 3020 Ablbjj32.exe 40 PID 3020 wrote to memory of 2356 3020 Ablbjj32.exe 40 PID 2356 wrote to memory of 604 2356 Abnopj32.exe 41 PID 2356 wrote to memory of 604 2356 Abnopj32.exe 41 PID 2356 wrote to memory of 604 2356 Abnopj32.exe 41 PID 2356 wrote to memory of 604 2356 Abnopj32.exe 41 PID 604 wrote to memory of 1476 604 Bdfahaaa.exe 42 PID 604 wrote to memory of 1476 604 Bdfahaaa.exe 42 PID 604 wrote to memory of 1476 604 Bdfahaaa.exe 42 PID 604 wrote to memory of 1476 604 Bdfahaaa.exe 42 PID 1476 wrote to memory of 1728 1476 Cncolfcl.exe 43 PID 1476 wrote to memory of 1728 1476 Cncolfcl.exe 43 PID 1476 wrote to memory of 1728 1476 Cncolfcl.exe 43 PID 1476 wrote to memory of 1728 1476 Cncolfcl.exe 43 PID 1728 wrote to memory of 2140 1728 Dbmkfh32.exe 44 PID 1728 wrote to memory of 2140 1728 Dbmkfh32.exe 44 PID 1728 wrote to memory of 2140 1728 Dbmkfh32.exe 44 PID 1728 wrote to memory of 2140 1728 Dbmkfh32.exe 44 PID 2140 wrote to memory of 2168 2140 Ddbmcb32.exe 45 PID 2140 wrote to memory of 2168 2140 Ddbmcb32.exe 45 PID 2140 wrote to memory of 2168 2140 Ddbmcb32.exe 45 PID 2140 wrote to memory of 2168 2140 Ddbmcb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d83c60753fe252b5dd7f76347d33e5f0N.exe"C:\Users\Admin\AppData\Local\Temp\d83c60753fe252b5dd7f76347d33e5f0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe38⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe39⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe43⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe45⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe46⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe49⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe52⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe55⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe61⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe62⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe65⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe67⤵PID:1548
-
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe69⤵PID:864
-
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe71⤵PID:2756
-
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe72⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe73⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe75⤵PID:2108
-
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe81⤵PID:2432
-
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe84⤵PID:1964
-
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe85⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe87⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe89⤵PID:2600
-
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe90⤵PID:2468
-
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe91⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe92⤵PID:1028
-
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe93⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe95⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Fppmcmah.exeC:\Windows\system32\Fppmcmah.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe98⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe101⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe102⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe105⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe106⤵PID:2528
-
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Imcfjg32.exeC:\Windows\system32\Imcfjg32.exe111⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe116⤵PID:2092
-
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Jaonji32.exeC:\Windows\system32\Jaonji32.exe118⤵PID:540
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe119⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe120⤵PID:2536
-
C:\Windows\SysWOW64\Jdadadkl.exeC:\Windows\system32\Jdadadkl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-