Analysis
-
max time kernel
117s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 06:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d83a76a3503e7ff47434b5c25eba4320N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d83a76a3503e7ff47434b5c25eba4320N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d83a76a3503e7ff47434b5c25eba4320N.exe
-
Size
63KB
-
MD5
d83a76a3503e7ff47434b5c25eba4320
-
SHA1
e957f8d531be4095c93254344449e5b64ca82f88
-
SHA256
74dcb9600a1cffb2d39a5ab001b410073d66ee19f697f62d879419e2f1f303ec
-
SHA512
de09bde0036eadc1d51eb274f6a1f53b2518e86dba7aa6d036a0f1722673cda0ede25a1ff52864f0984e76747b54e4cb7f266996552900b56ad0e776253a5864
-
SSDEEP
768:8It2Q+din8ff469G14JZ0zM3ytUpcO1mi/1H5SvXdnhg20a0kXdnhAPAPDXdnhe:8EF+wOQqLb/qH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhehfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpbgbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnhfhoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifjnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfncad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognobcqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggqamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpadaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omekgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkojcgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omekgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhmdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjanfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gielchpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnnhjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpqnpacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejifdab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafhmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhklha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcldpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkahbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdeehe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagjqbam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpoibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabfjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcingdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkddjkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcpmieg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoqhncgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqljdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbjgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejifdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoppefc.exe -
Executes dropped EXE 64 IoCs
pid Process 2140 Binikb32.exe 1108 Bfbjdf32.exe 2784 Bbikig32.exe 2796 Cobhdhha.exe 2748 Codeih32.exe 3060 Caenkc32.exe 924 Cagjqbam.exe 1604 Dpmgao32.exe 3008 Dlchfp32.exe 2848 Djjeedhp.exe 2700 Dhobgp32.exe 3056 Dfbbpd32.exe 1192 Egflml32.exe 2968 Ekddck32.exe 1668 Emhnqbjo.exe 2064 Efpbih32.exe 1712 Ffboohnm.exe 968 Fbipdi32.exe 2408 Fladmn32.exe 1784 Fejifdab.exe 1396 Felekcop.exe 2944 Fnejdiep.exe 1620 Fijnabef.exe 1608 Gmlckehe.exe 1740 Gmoppefc.exe 1220 Gfgdij32.exe 2068 Gpoibp32.exe 2152 Gdmbhnjj.exe 2736 Hilgfe32.exe 2640 Hajhpgag.exe 1656 Hhdqma32.exe 2536 Hdkaabnh.exe 2584 Igkjcm32.exe 2884 Ipdolbbj.exe 2404 Igpdnlgd.exe 2816 Iokhcodo.exe 2888 Jopbnn32.exe 2496 Jflgph32.exe 560 Joekimld.exe 1952 Jgppmpjp.exe 2964 Kcimhpma.exe 1272 Knoaeimg.exe 1116 Kfjfik32.exe 2044 Kqokgd32.exe 1100 Kimlqfeq.exe 1736 Lgbibb32.exe 1640 Lefikg32.exe 1244 Ljcbcngi.exe 2204 Lnnndl32.exe 868 Lckflc32.exe 2116 Lmckeidj.exe 2628 Lcncbc32.exe 1564 Lflonn32.exe 2768 Laackgka.exe 2544 Lhklha32.exe 3044 Ljjhdm32.exe 1700 Ladpagin.exe 2384 Mbemho32.exe 2872 Mioeeifi.exe 540 Mpimbcnf.exe 1948 Meffjjln.exe 2292 Mfebdm32.exe 1080 Mpngmb32.exe 2368 Mifkfhpa.exe -
Loads dropped DLL 64 IoCs
pid Process 2992 d83a76a3503e7ff47434b5c25eba4320N.exe 2992 d83a76a3503e7ff47434b5c25eba4320N.exe 2140 Binikb32.exe 2140 Binikb32.exe 1108 Bfbjdf32.exe 1108 Bfbjdf32.exe 2784 Bbikig32.exe 2784 Bbikig32.exe 2796 Cobhdhha.exe 2796 Cobhdhha.exe 2748 Codeih32.exe 2748 Codeih32.exe 3060 Caenkc32.exe 3060 Caenkc32.exe 924 Cagjqbam.exe 924 Cagjqbam.exe 1604 Dpmgao32.exe 1604 Dpmgao32.exe 3008 Dlchfp32.exe 3008 Dlchfp32.exe 2848 Djjeedhp.exe 2848 Djjeedhp.exe 2700 Dhobgp32.exe 2700 Dhobgp32.exe 3056 Dfbbpd32.exe 3056 Dfbbpd32.exe 1192 Egflml32.exe 1192 Egflml32.exe 2968 Ekddck32.exe 2968 Ekddck32.exe 1668 Emhnqbjo.exe 1668 Emhnqbjo.exe 2064 Efpbih32.exe 2064 Efpbih32.exe 1712 Ffboohnm.exe 1712 Ffboohnm.exe 968 Fbipdi32.exe 968 Fbipdi32.exe 2408 Fladmn32.exe 2408 Fladmn32.exe 1784 Fejifdab.exe 1784 Fejifdab.exe 1396 Felekcop.exe 1396 Felekcop.exe 2944 Fnejdiep.exe 2944 Fnejdiep.exe 1620 Fijnabef.exe 1620 Fijnabef.exe 1608 Gmlckehe.exe 1608 Gmlckehe.exe 1740 Gmoppefc.exe 1740 Gmoppefc.exe 1220 Gfgdij32.exe 1220 Gfgdij32.exe 2068 Gpoibp32.exe 2068 Gpoibp32.exe 2152 Gdmbhnjj.exe 2152 Gdmbhnjj.exe 2736 Hilgfe32.exe 2736 Hilgfe32.exe 2640 Hajhpgag.exe 2640 Hajhpgag.exe 1656 Hhdqma32.exe 1656 Hhdqma32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hilgfe32.exe Gdmbhnjj.exe File created C:\Windows\SysWOW64\Mjddnjdf.exe Mcjlap32.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Llainlje.exe File opened for modification C:\Windows\SysWOW64\Liibigjq.exe Lpqnpacp.exe File opened for modification C:\Windows\SysWOW64\Ioochn32.exe Igdndl32.exe File created C:\Windows\SysWOW64\Fmdfppkb.exe Fghngimj.exe File created C:\Windows\SysWOW64\Jklnggjm.exe Jkjaaglp.exe File created C:\Windows\SysWOW64\Lcpbpk32.exe Lbmicc32.exe File opened for modification C:\Windows\SysWOW64\Bbocak32.exe Bmbkid32.exe File opened for modification C:\Windows\SysWOW64\Hgbhibio.exe Hnjdpm32.exe File created C:\Windows\SysWOW64\Aodjdede.exe Aekelo32.exe File opened for modification C:\Windows\SysWOW64\Aafnpkii.exe Ajmfca32.exe File created C:\Windows\SysWOW64\Llbmlo32.dll Cmlqimph.exe File created C:\Windows\SysWOW64\Ajlema32.dll Mmpobi32.exe File created C:\Windows\SysWOW64\Oidldm32.dll Ephhmn32.exe File created C:\Windows\SysWOW64\Gkancm32.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Hfjbkm32.dll Bdbdgh32.exe File opened for modification C:\Windows\SysWOW64\Fbipdi32.exe Ffboohnm.exe File created C:\Windows\SysWOW64\Anfggicl.exe Ahioobed.exe File created C:\Windows\SysWOW64\Dcelpdef.dll Fefpfi32.exe File created C:\Windows\SysWOW64\Olgehh32.exe Ofklpa32.exe File created C:\Windows\SysWOW64\Pphqlc32.dll Aodjdede.exe File opened for modification C:\Windows\SysWOW64\Qdieaf32.exe Qolmip32.exe File created C:\Windows\SysWOW64\Mjgclcjh.exe Mpaoojjb.exe File created C:\Windows\SysWOW64\Khdgabih.exe Knkbimbg.exe File opened for modification C:\Windows\SysWOW64\Ckajqo32.exe Bjanfl32.exe File created C:\Windows\SysWOW64\Moikinib.exe Mnjnolap.exe File created C:\Windows\SysWOW64\Plkchdiq.exe Peakkj32.exe File opened for modification C:\Windows\SysWOW64\Dfbbpd32.exe Dhobgp32.exe File opened for modification C:\Windows\SysWOW64\Qifpqi32.exe Qnalcqpm.exe File opened for modification C:\Windows\SysWOW64\Dnhgoa32.exe Dgoobg32.exe File created C:\Windows\SysWOW64\Khjmoj32.dll Lffohikd.exe File created C:\Windows\SysWOW64\Ehfkphnd.exe Ekbjgd32.exe File opened for modification C:\Windows\SysWOW64\Anfggicl.exe Ahioobed.exe File created C:\Windows\SysWOW64\Bepdfd32.dll Akpmhdqd.exe File created C:\Windows\SysWOW64\Fianpp32.exe Fpijgk32.exe File created C:\Windows\SysWOW64\Hajhpgag.exe Hilgfe32.exe File opened for modification C:\Windows\SysWOW64\Ibejfffo.exe Iimenapo.exe File opened for modification C:\Windows\SysWOW64\Mqfooonp.exe Mqdbjp32.exe File created C:\Windows\SysWOW64\Efghmkeb.dll Gcimop32.exe File created C:\Windows\SysWOW64\Cgnpmg32.exe Cobkhe32.exe File created C:\Windows\SysWOW64\Kqokgd32.exe Kfjfik32.exe File opened for modification C:\Windows\SysWOW64\Flmlmc32.exe Fmholgpj.exe File created C:\Windows\SysWOW64\Mgdlgpke.dll Olgehh32.exe File created C:\Windows\SysWOW64\Jibcja32.exe Jbhkngcd.exe File opened for modification C:\Windows\SysWOW64\Onmgeb32.exe Ollncgjq.exe File created C:\Windows\SysWOW64\Ajojkjfk.dll Mmgkoe32.exe File created C:\Windows\SysWOW64\Pdgmbedh.dll Bfbjdf32.exe File created C:\Windows\SysWOW64\Mpngmb32.exe Mfebdm32.exe File created C:\Windows\SysWOW64\Abgqlf32.dll Ankhmncb.exe File created C:\Windows\SysWOW64\Jehbfjia.exe Jlpmndba.exe File created C:\Windows\SysWOW64\Nkchooim.dll Keodflee.exe File created C:\Windows\SysWOW64\Nfeljlqh.exe Ncdciq32.exe File created C:\Windows\SysWOW64\Ncloha32.exe Nmogpj32.exe File created C:\Windows\SysWOW64\Fhngkm32.exe Ffpkob32.exe File created C:\Windows\SysWOW64\Eakjophb.exe Eipekmjg.exe File created C:\Windows\SysWOW64\Omopkm32.dll Dchpnd32.exe File created C:\Windows\SysWOW64\Ljpqlqmd.exe Ljndga32.exe File created C:\Windows\SysWOW64\Kcadedfd.dll Cmocha32.exe File created C:\Windows\SysWOW64\Njjbjk32.exe Nodnmb32.exe File created C:\Windows\SysWOW64\Iglngj32.exe Idkdfo32.exe File created C:\Windows\SysWOW64\Kkadkelj.dll Ledpjdid.exe File opened for modification C:\Windows\SysWOW64\Pogegeoj.exe Pqbifhjb.exe File created C:\Windows\SysWOW64\Bfjnbnfd.dll Kppmpmal.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4688 4644 WerFault.exe 776 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncloha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgpff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclkldqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdbjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhobgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjiibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckdcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccnmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagnmkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaibnim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikkfilp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbemho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befpkmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmlmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdpkfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobhillo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onggom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafhmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inopce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpndlobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnnhcknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhngbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakjophb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmchhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjmcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pniohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkfic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcopkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmjkapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blklfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foacmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifkfhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoqhncgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhqfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphpdhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbjmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdnlgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgdhcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deiipp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfajhblm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hghhngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnjlg32.dll" Mkggnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clfkfeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgggn32.dll" Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kphpdhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjklkdh.dll" Oakcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eapcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbilmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnchedie.dll" Kceganoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebkndibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljkodkb.dll" Emhnqbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjbghkfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egkgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpbecig.dll" Cobkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpbaf32.dll" Papkcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfqak32.dll" Kdooij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dihmae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giolcp32.dll" Fcingdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eganqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnnndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnnhcknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcldoef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leqeed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnepjk32.dll" Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnimeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnoiocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafaaq32.dll" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiodliep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpnfdbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmegkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbedbmj.dll" Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfphmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkkfi32.dll" Dbkolmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmnjj32.dll" Modano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfeljlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbegfg32.dll" Cagjqbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhgelk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fghngimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggdfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npceanij.dll" Phabdmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfeohc32.dll" Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckomcec.dll" Fghngimj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflmlfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geepmb32.dll" Iflmlfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibdclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjccdpc.dll" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdkaabnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpenafkn.dll" Kimlqfeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmaeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcoaeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eocieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nleckcno.dll" Hkljljko.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2140 2992 d83a76a3503e7ff47434b5c25eba4320N.exe 30 PID 2992 wrote to memory of 2140 2992 d83a76a3503e7ff47434b5c25eba4320N.exe 30 PID 2992 wrote to memory of 2140 2992 d83a76a3503e7ff47434b5c25eba4320N.exe 30 PID 2992 wrote to memory of 2140 2992 d83a76a3503e7ff47434b5c25eba4320N.exe 30 PID 2140 wrote to memory of 1108 2140 Binikb32.exe 31 PID 2140 wrote to memory of 1108 2140 Binikb32.exe 31 PID 2140 wrote to memory of 1108 2140 Binikb32.exe 31 PID 2140 wrote to memory of 1108 2140 Binikb32.exe 31 PID 1108 wrote to memory of 2784 1108 Bfbjdf32.exe 32 PID 1108 wrote to memory of 2784 1108 Bfbjdf32.exe 32 PID 1108 wrote to memory of 2784 1108 Bfbjdf32.exe 32 PID 1108 wrote to memory of 2784 1108 Bfbjdf32.exe 32 PID 2784 wrote to memory of 2796 2784 Bbikig32.exe 33 PID 2784 wrote to memory of 2796 2784 Bbikig32.exe 33 PID 2784 wrote to memory of 2796 2784 Bbikig32.exe 33 PID 2784 wrote to memory of 2796 2784 Bbikig32.exe 33 PID 2796 wrote to memory of 2748 2796 Cobhdhha.exe 34 PID 2796 wrote to memory of 2748 2796 Cobhdhha.exe 34 PID 2796 wrote to memory of 2748 2796 Cobhdhha.exe 34 PID 2796 wrote to memory of 2748 2796 Cobhdhha.exe 34 PID 2748 wrote to memory of 3060 2748 Codeih32.exe 35 PID 2748 wrote to memory of 3060 2748 Codeih32.exe 35 PID 2748 wrote to memory of 3060 2748 Codeih32.exe 35 PID 2748 wrote to memory of 3060 2748 Codeih32.exe 35 PID 3060 wrote to memory of 924 3060 Caenkc32.exe 36 PID 3060 wrote to memory of 924 3060 Caenkc32.exe 36 PID 3060 wrote to memory of 924 3060 Caenkc32.exe 36 PID 3060 wrote to memory of 924 3060 Caenkc32.exe 36 PID 924 wrote to memory of 1604 924 Cagjqbam.exe 37 PID 924 wrote to memory of 1604 924 Cagjqbam.exe 37 PID 924 wrote to memory of 1604 924 Cagjqbam.exe 37 PID 924 wrote to memory of 1604 924 Cagjqbam.exe 37 PID 1604 wrote to memory of 3008 1604 Dpmgao32.exe 38 PID 1604 wrote to memory of 3008 1604 Dpmgao32.exe 38 PID 1604 wrote to memory of 3008 1604 Dpmgao32.exe 38 PID 1604 wrote to memory of 3008 1604 Dpmgao32.exe 38 PID 3008 wrote to memory of 2848 3008 Dlchfp32.exe 39 PID 3008 wrote to memory of 2848 3008 Dlchfp32.exe 39 PID 3008 wrote to memory of 2848 3008 Dlchfp32.exe 39 PID 3008 wrote to memory of 2848 3008 Dlchfp32.exe 39 PID 2848 wrote to memory of 2700 2848 Djjeedhp.exe 40 PID 2848 wrote to memory of 2700 2848 Djjeedhp.exe 40 PID 2848 wrote to memory of 2700 2848 Djjeedhp.exe 40 PID 2848 wrote to memory of 2700 2848 Djjeedhp.exe 40 PID 2700 wrote to memory of 3056 2700 Dhobgp32.exe 41 PID 2700 wrote to memory of 3056 2700 Dhobgp32.exe 41 PID 2700 wrote to memory of 3056 2700 Dhobgp32.exe 41 PID 2700 wrote to memory of 3056 2700 Dhobgp32.exe 41 PID 3056 wrote to memory of 1192 3056 Dfbbpd32.exe 42 PID 3056 wrote to memory of 1192 3056 Dfbbpd32.exe 42 PID 3056 wrote to memory of 1192 3056 Dfbbpd32.exe 42 PID 3056 wrote to memory of 1192 3056 Dfbbpd32.exe 42 PID 1192 wrote to memory of 2968 1192 Egflml32.exe 43 PID 1192 wrote to memory of 2968 1192 Egflml32.exe 43 PID 1192 wrote to memory of 2968 1192 Egflml32.exe 43 PID 1192 wrote to memory of 2968 1192 Egflml32.exe 43 PID 2968 wrote to memory of 1668 2968 Ekddck32.exe 44 PID 2968 wrote to memory of 1668 2968 Ekddck32.exe 44 PID 2968 wrote to memory of 1668 2968 Ekddck32.exe 44 PID 2968 wrote to memory of 1668 2968 Ekddck32.exe 44 PID 1668 wrote to memory of 2064 1668 Emhnqbjo.exe 45 PID 1668 wrote to memory of 2064 1668 Emhnqbjo.exe 45 PID 1668 wrote to memory of 2064 1668 Emhnqbjo.exe 45 PID 1668 wrote to memory of 2064 1668 Emhnqbjo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d83a76a3503e7ff47434b5c25eba4320N.exe"C:\Users\Admin\AppData\Local\Temp\d83a76a3503e7ff47434b5c25eba4320N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Bfbjdf32.exeC:\Windows\system32\Bfbjdf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Fnejdiep.exeC:\Windows\system32\Fnejdiep.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe34⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe35⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe38⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jflgph32.exeC:\Windows\system32\Jflgph32.exe39⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Joekimld.exeC:\Windows\system32\Joekimld.exe40⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jgppmpjp.exeC:\Windows\system32\Jgppmpjp.exe41⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Kcimhpma.exeC:\Windows\system32\Kcimhpma.exe42⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Knoaeimg.exeC:\Windows\system32\Knoaeimg.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Kqokgd32.exeC:\Windows\system32\Kqokgd32.exe45⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Kimlqfeq.exeC:\Windows\system32\Kimlqfeq.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Lgbibb32.exeC:\Windows\system32\Lgbibb32.exe47⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Lefikg32.exeC:\Windows\system32\Lefikg32.exe48⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe49⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Lnnndl32.exeC:\Windows\system32\Lnnndl32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Lckflc32.exeC:\Windows\system32\Lckflc32.exe51⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe52⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe55⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lhklha32.exeC:\Windows\system32\Lhklha32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe57⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe58⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Mbemho32.exeC:\Windows\system32\Mbemho32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe60⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Mpimbcnf.exeC:\Windows\system32\Mpimbcnf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Meffjjln.exeC:\Windows\system32\Meffjjln.exe62⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Mpngmb32.exeC:\Windows\system32\Mpngmb32.exe64⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Mifkfhpa.exeC:\Windows\system32\Mifkfhpa.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe66⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Maapjjml.exeC:\Windows\system32\Maapjjml.exe67⤵PID:2352
-
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe68⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe69⤵PID:2308
-
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe70⤵PID:2444
-
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe71⤵PID:2456
-
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe72⤵PID:2260
-
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe73⤵PID:2532
-
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe74⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Ncnlnaim.exeC:\Windows\system32\Ncnlnaim.exe76⤵PID:2228
-
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe78⤵PID:2844
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe79⤵PID:2852
-
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe81⤵PID:1316
-
C:\Windows\SysWOW64\Ohdglfoj.exeC:\Windows\system32\Ohdglfoj.exe82⤵PID:1972
-
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe83⤵PID:1692
-
C:\Windows\SysWOW64\Pqbifhjb.exeC:\Windows\system32\Pqbifhjb.exe84⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe85⤵PID:768
-
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe86⤵PID:1012
-
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe87⤵PID:1864
-
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe88⤵PID:1804
-
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe89⤵PID:2216
-
C:\Windows\SysWOW64\Pcgkcccn.exeC:\Windows\system32\Pcgkcccn.exe90⤵PID:2200
-
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe91⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe92⤵PID:2072
-
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe94⤵PID:2916
-
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe95⤵PID:880
-
C:\Windows\SysWOW64\Abaaoodq.exeC:\Windows\system32\Abaaoodq.exe96⤵PID:1960
-
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe97⤵PID:1484
-
C:\Windows\SysWOW64\Ajmfca32.exeC:\Windows\system32\Ajmfca32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Aafnpkii.exeC:\Windows\system32\Aafnpkii.exe99⤵PID:2008
-
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe100⤵PID:1304
-
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe101⤵PID:556
-
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe102⤵PID:1812
-
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe103⤵PID:2716
-
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe105⤵PID:2528
-
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe106⤵PID:944
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe107⤵PID:2840
-
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe108⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe109⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe110⤵PID:2196
-
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe111⤵PID:824
-
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe112⤵PID:1676
-
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe114⤵PID:876
-
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe115⤵PID:2664
-
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe116⤵PID:2676
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe117⤵PID:2692
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe118⤵
- Drops file in System32 directory
PID:512 -
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe119⤵PID:2344
-
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-