Analysis
-
max time kernel
69s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 04:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c44be5b54afc17efccbc039274cb430N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3c44be5b54afc17efccbc039274cb430N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3c44be5b54afc17efccbc039274cb430N.exe
-
Size
112KB
-
MD5
3c44be5b54afc17efccbc039274cb430
-
SHA1
2d19182d3bf623b457d0f7fe8edca06a228aebeb
-
SHA256
522a5e81da7722526de61813f0e477b0025615c382ccf2e31c16029187e8dd5d
-
SHA512
e3e33a22e69a2eac2162a47f24824c13b8f4c98e7158f2ad6ec14de6b5e39e74e51a263d9f552d53599691d9c5fc4a3f41aac493c3e61277fefca1294d4bb6c7
-
SSDEEP
3072:OumiKu537YCQNKJq7sWXzFeJLCQnFIBOaCUjKaVLjd:Azu9YCDA7zzFeJLbnCBbC+nVLjd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momckfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkfil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkflii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqfbbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmppmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdkpob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfnjfepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgjknijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aikkgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikhlaaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anigaeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjnhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mppiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpckbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baannfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglekch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaedeme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hafdbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkpkepnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olklmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Difcpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjeckk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekicjlai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdadbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilneef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdgolml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danblfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pehiqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpkpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjheklqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kolcdahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 780 Kkpekjie.exe 2264 Knnagehi.exe 2752 Kgffpk32.exe 2196 Kjeblf32.exe 2896 Kcmfeldm.exe 2620 Kjgoaflj.exe 1648 Kaagnp32.exe 976 Kgkokjjd.exe 2660 Lmhhcaik.exe 1448 Lcbppk32.exe 2028 Liohhbno.exe 2868 Lafpipoa.exe 2432 Lbgmah32.exe 376 Ljnebe32.exe 2484 Lpkmkl32.exe 1208 Lbijgg32.exe 2364 Licbca32.exe 2544 Lmondpbc.exe 1780 Lopjlh32.exe 1956 Lejbhbpn.exe 912 Lhiodnob.exe 2344 Lobgah32.exe 1788 Memonbnl.exe 1896 Mihkoa32.exe 1204 Mlfgkleh.exe 1608 Meolcb32.exe 748 Mlidplcf.exe 2696 Mogqlgbi.exe 2680 Mddidnqa.exe 1708 Mojmbg32.exe 836 Mmlmmdga.exe 2204 Mhbakmgg.exe 2552 Mkqnghfk.exe 2360 Mmojcceo.exe 2532 Mpmfoodb.exe 2476 Mkcjlhdh.exe 2624 Nldgdpjf.exe 3000 Nppceo32.exe 1524 Nelkme32.exe 1244 Nmccnc32.exe 2348 Noepfkgh.exe 2140 Nglhghgj.exe 1972 Nogmkk32.exe 476 Nimaic32.exe 2096 Nlkmeo32.exe 2324 Nceeaikk.exe 2512 Ndfbia32.exe 1444 Nhbnjpic.exe 2744 Nkpjfkhf.exe 2656 Nolffjap.exe 2772 Nnofbg32.exe 2924 Nefncd32.exe 2568 Ohdkop32.exe 2628 Ooncljom.exe 888 Oamohenq.exe 2908 Opoocb32.exe 1140 Ohfgeo32.exe 3012 Ogigpllh.exe 1864 Ojhdmgkl.exe 2808 Oncpmf32.exe 2388 Odmhjp32.exe 2440 Ogldfl32.exe 768 Okgpfjbo.exe 1652 Olhmnb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 3c44be5b54afc17efccbc039274cb430N.exe 2300 3c44be5b54afc17efccbc039274cb430N.exe 780 Kkpekjie.exe 780 Kkpekjie.exe 2264 Knnagehi.exe 2264 Knnagehi.exe 2752 Kgffpk32.exe 2752 Kgffpk32.exe 2196 Kjeblf32.exe 2196 Kjeblf32.exe 2896 Kcmfeldm.exe 2896 Kcmfeldm.exe 2620 Kjgoaflj.exe 2620 Kjgoaflj.exe 1648 Kaagnp32.exe 1648 Kaagnp32.exe 976 Kgkokjjd.exe 976 Kgkokjjd.exe 2660 Lmhhcaik.exe 2660 Lmhhcaik.exe 1448 Lcbppk32.exe 1448 Lcbppk32.exe 2028 Liohhbno.exe 2028 Liohhbno.exe 2868 Lafpipoa.exe 2868 Lafpipoa.exe 2432 Lbgmah32.exe 2432 Lbgmah32.exe 376 Ljnebe32.exe 376 Ljnebe32.exe 2484 Lpkmkl32.exe 2484 Lpkmkl32.exe 1208 Lbijgg32.exe 1208 Lbijgg32.exe 2364 Licbca32.exe 2364 Licbca32.exe 2544 Lmondpbc.exe 2544 Lmondpbc.exe 1780 Lopjlh32.exe 1780 Lopjlh32.exe 1956 Lejbhbpn.exe 1956 Lejbhbpn.exe 912 Lhiodnob.exe 912 Lhiodnob.exe 2344 Lobgah32.exe 2344 Lobgah32.exe 1788 Memonbnl.exe 1788 Memonbnl.exe 1896 Mihkoa32.exe 1896 Mihkoa32.exe 1276 Macpcccp.exe 1276 Macpcccp.exe 1608 Meolcb32.exe 1608 Meolcb32.exe 748 Mlidplcf.exe 748 Mlidplcf.exe 2696 Mogqlgbi.exe 2696 Mogqlgbi.exe 2680 Mddidnqa.exe 2680 Mddidnqa.exe 1708 Mojmbg32.exe 1708 Mojmbg32.exe 836 Mmlmmdga.exe 836 Mmlmmdga.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpccnp32.exe Cmegbd32.exe File created C:\Windows\SysWOW64\Oenppk32.exe Process not Found File created C:\Windows\SysWOW64\Ohoiaf32.exe Process not Found File created C:\Windows\SysWOW64\Allbpqcp.exe Ahpfoa32.exe File opened for modification C:\Windows\SysWOW64\Hinlck32.exe Hafdbmjp.exe File created C:\Windows\SysWOW64\Lphjkfbq.exe Llmnjg32.exe File opened for modification C:\Windows\SysWOW64\Hnbhpl32.exe Hjglpncm.exe File created C:\Windows\SysWOW64\Aediaoae.exe Afaieb32.exe File opened for modification C:\Windows\SysWOW64\Ppacfg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Piipibff.exe Pbohmh32.exe File created C:\Windows\SysWOW64\Ilifkclg.dll Igmppcpm.exe File created C:\Windows\SysWOW64\Gpiadq32.exe Gmjehe32.exe File opened for modification C:\Windows\SysWOW64\Ibdcnm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lkjadh32.exe Lmgaikep.exe File created C:\Windows\SysWOW64\Hblqbmcd.dll Medobp32.exe File created C:\Windows\SysWOW64\Hppjland.dll Process not Found File created C:\Windows\SysWOW64\Feoqpaij.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nnghjm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Knnagehi.exe Kkpekjie.exe File created C:\Windows\SysWOW64\Njfoghho.dll Apbeeppo.exe File created C:\Windows\SysWOW64\Ffiedlhj.dll Difcpc32.exe File created C:\Windows\SysWOW64\Kfmemm32.dll Daqoafkh.exe File created C:\Windows\SysWOW64\Pghcbd32.dll Eloimcca.exe File created C:\Windows\SysWOW64\Ipqmgbbf.exe Process not Found File created C:\Windows\SysWOW64\Epkgbb32.dll Macpcccp.exe File opened for modification C:\Windows\SysWOW64\Genkhidc.exe Gabohk32.exe File created C:\Windows\SysWOW64\Ikfokb32.exe Igjckcbo.exe File opened for modification C:\Windows\SysWOW64\Obngnphg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjgmoahd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ilneef32.exe Idgmch32.exe File opened for modification C:\Windows\SysWOW64\Ilpohecc.exe Iiablido.exe File created C:\Windows\SysWOW64\Mpnhhh32.exe Makhlkel.exe File created C:\Windows\SysWOW64\Ibigeojp.exe Ipkkhckl.exe File created C:\Windows\SysWOW64\Ipmcno32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fdafkm32.exe Process not Found File created C:\Windows\SysWOW64\Ehlqao32.exe Eiipfbgj.exe File created C:\Windows\SysWOW64\Pjafbfca.exe Pfekbg32.exe File opened for modification C:\Windows\SysWOW64\Lnhmqc32.exe Lkjadh32.exe File created C:\Windows\SysWOW64\Manknb32.dll Mcoioi32.exe File created C:\Windows\SysWOW64\Cpbfggdo.dll Process not Found File created C:\Windows\SysWOW64\Cmghoe32.dll Process not Found File created C:\Windows\SysWOW64\Aqapek32.exe Process not Found File created C:\Windows\SysWOW64\Lfpebq32.exe Lnhmqc32.exe File opened for modification C:\Windows\SysWOW64\Akhopj32.exe Acafnm32.exe File created C:\Windows\SysWOW64\Iejpfjha.exe Ifgpkm32.exe File created C:\Windows\SysWOW64\Ganbem32.dll Bdnmda32.exe File created C:\Windows\SysWOW64\Ffokan32.exe Fglkeaqk.exe File opened for modification C:\Windows\SysWOW64\Kjfhgp32.exe Kfklgape.exe File created C:\Windows\SysWOW64\Ikoaghlg.dll Pdhdcnng.exe File opened for modification C:\Windows\SysWOW64\Lgladc32.exe Kdmehh32.exe File created C:\Windows\SysWOW64\Akiahcik.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ooaiehhj.exe Opohil32.exe File created C:\Windows\SysWOW64\Pcajpjoi.exe Pofnok32.exe File created C:\Windows\SysWOW64\Egnjbfqc.exe Process not Found File created C:\Windows\SysWOW64\Iqddmmfp.dll Omdbfo32.exe File opened for modification C:\Windows\SysWOW64\Genmab32.exe Process not Found File created C:\Windows\SysWOW64\Nfccbeli.dll Process not Found File opened for modification C:\Windows\SysWOW64\Clphjc32.exe Cbhcankf.exe File created C:\Windows\SysWOW64\Bhmonoli.exe Bijobb32.exe File created C:\Windows\SysWOW64\Mhpgnfpn.exe Meakbjaj.exe File created C:\Windows\SysWOW64\Lnldmlgc.dll Afhfpc32.exe File opened for modification C:\Windows\SysWOW64\Aggbif32.exe Aoqjhiie.exe File created C:\Windows\SysWOW64\Idcodh32.dll Bknani32.exe File opened for modification C:\Windows\SysWOW64\Kpliac32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3380 4020 Process not Found 1516 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcppgff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqekin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhjlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meakbjaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjehlldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhlbegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqnjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebllocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfdlpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbnqfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmpafnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napibq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfoeqmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chghodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmflmfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mppiod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbnbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgeckn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeoda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncmknkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgekdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfjaeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjkdfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejldfh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnadfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjcgmjl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmdmcpk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coqaknog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhklibbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnglkj32.dll" Bjcnoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eebnqcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkiacm32.dll" Kjbnlqld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eloimcca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffglae32.dll" Hnnoempk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcffnnq.dll" Mboekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daedpf32.dll" Pcdnpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqpfchka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biehmiaj.dll" Momckfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idqpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmpl32.dll" Jpbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkminf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfmid32.dll" Phdiglap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flgiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opohil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnijemn.dll" Cpccnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcdnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahbcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhofa32.dll" Begegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmehii32.dll" Jnogakma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocedieek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloimcca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khonbhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beojma32.dll" Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkmalkj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhnknmi.dll" Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhglpqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjaac32.dll" Haoggh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidjce32.dll" Kqaigijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdldmokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebnbaljb.dll" Pafacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndif32.dll" Iiiogoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffhqa32.dll" Cleaebna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondciqan.dll" Fnglekch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbnkhbd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olncfi32.dll" Gfqmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abnmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joafii32.dll" Aiioanpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeegdc32.dll" Kkjeedio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnfmdnb.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 780 2300 3c44be5b54afc17efccbc039274cb430N.exe 29 PID 2300 wrote to memory of 780 2300 3c44be5b54afc17efccbc039274cb430N.exe 29 PID 2300 wrote to memory of 780 2300 3c44be5b54afc17efccbc039274cb430N.exe 29 PID 2300 wrote to memory of 780 2300 3c44be5b54afc17efccbc039274cb430N.exe 29 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 2264 wrote to memory of 2752 2264 Knnagehi.exe 31 PID 2264 wrote to memory of 2752 2264 Knnagehi.exe 31 PID 2264 wrote to memory of 2752 2264 Knnagehi.exe 31 PID 2264 wrote to memory of 2752 2264 Knnagehi.exe 31 PID 2752 wrote to memory of 2196 2752 Kgffpk32.exe 32 PID 2752 wrote to memory of 2196 2752 Kgffpk32.exe 32 PID 2752 wrote to memory of 2196 2752 Kgffpk32.exe 32 PID 2752 wrote to memory of 2196 2752 Kgffpk32.exe 32 PID 2196 wrote to memory of 2896 2196 Kjeblf32.exe 33 PID 2196 wrote to memory of 2896 2196 Kjeblf32.exe 33 PID 2196 wrote to memory of 2896 2196 Kjeblf32.exe 33 PID 2196 wrote to memory of 2896 2196 Kjeblf32.exe 33 PID 2896 wrote to memory of 2620 2896 Kcmfeldm.exe 34 PID 2896 wrote to memory of 2620 2896 Kcmfeldm.exe 34 PID 2896 wrote to memory of 2620 2896 Kcmfeldm.exe 34 PID 2896 wrote to memory of 2620 2896 Kcmfeldm.exe 34 PID 2620 wrote to memory of 1648 2620 Kjgoaflj.exe 35 PID 2620 wrote to memory of 1648 2620 Kjgoaflj.exe 35 PID 2620 wrote to memory of 1648 2620 Kjgoaflj.exe 35 PID 2620 wrote to memory of 1648 2620 Kjgoaflj.exe 35 PID 1648 wrote to memory of 976 1648 Kaagnp32.exe 36 PID 1648 wrote to memory of 976 1648 Kaagnp32.exe 36 PID 1648 wrote to memory of 976 1648 Kaagnp32.exe 36 PID 1648 wrote to memory of 976 1648 Kaagnp32.exe 36 PID 976 wrote to memory of 2660 976 Kgkokjjd.exe 37 PID 976 wrote to memory of 2660 976 Kgkokjjd.exe 37 PID 976 wrote to memory of 2660 976 Kgkokjjd.exe 37 PID 976 wrote to memory of 2660 976 Kgkokjjd.exe 37 PID 2660 wrote to memory of 1448 2660 Lmhhcaik.exe 38 PID 2660 wrote to memory of 1448 2660 Lmhhcaik.exe 38 PID 2660 wrote to memory of 1448 2660 Lmhhcaik.exe 38 PID 2660 wrote to memory of 1448 2660 Lmhhcaik.exe 38 PID 1448 wrote to memory of 2028 1448 Lcbppk32.exe 39 PID 1448 wrote to memory of 2028 1448 Lcbppk32.exe 39 PID 1448 wrote to memory of 2028 1448 Lcbppk32.exe 39 PID 1448 wrote to memory of 2028 1448 Lcbppk32.exe 39 PID 2028 wrote to memory of 2868 2028 Liohhbno.exe 40 PID 2028 wrote to memory of 2868 2028 Liohhbno.exe 40 PID 2028 wrote to memory of 2868 2028 Liohhbno.exe 40 PID 2028 wrote to memory of 2868 2028 Liohhbno.exe 40 PID 2868 wrote to memory of 2432 2868 Lafpipoa.exe 41 PID 2868 wrote to memory of 2432 2868 Lafpipoa.exe 41 PID 2868 wrote to memory of 2432 2868 Lafpipoa.exe 41 PID 2868 wrote to memory of 2432 2868 Lafpipoa.exe 41 PID 2432 wrote to memory of 376 2432 Lbgmah32.exe 42 PID 2432 wrote to memory of 376 2432 Lbgmah32.exe 42 PID 2432 wrote to memory of 376 2432 Lbgmah32.exe 42 PID 2432 wrote to memory of 376 2432 Lbgmah32.exe 42 PID 376 wrote to memory of 2484 376 Ljnebe32.exe 43 PID 376 wrote to memory of 2484 376 Ljnebe32.exe 43 PID 376 wrote to memory of 2484 376 Ljnebe32.exe 43 PID 376 wrote to memory of 2484 376 Ljnebe32.exe 43 PID 2484 wrote to memory of 1208 2484 Lpkmkl32.exe 44 PID 2484 wrote to memory of 1208 2484 Lpkmkl32.exe 44 PID 2484 wrote to memory of 1208 2484 Lpkmkl32.exe 44 PID 2484 wrote to memory of 1208 2484 Lpkmkl32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c44be5b54afc17efccbc039274cb430N.exe"C:\Users\Admin\AppData\Local\Temp\3c44be5b54afc17efccbc039274cb430N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Kgffpk32.exeC:\Windows\system32\Kgffpk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Lpkmkl32.exeC:\Windows\system32\Lpkmkl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe26⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe27⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Meolcb32.exeC:\Windows\system32\Meolcb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe34⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe35⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe36⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe37⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe38⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe39⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe41⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe42⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe43⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe44⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe45⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe46⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe47⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe48⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe49⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe50⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe51⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe52⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe53⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe54⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe55⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe56⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe57⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe58⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe59⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe60⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe61⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe62⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe64⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe65⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe66⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe67⤵PID:1060
-
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe68⤵PID:2540
-
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe69⤵PID:2060
-
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe70⤵PID:1580
-
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe71⤵PID:2776
-
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe72⤵PID:2724
-
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe73⤵PID:2604
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe74⤵PID:2596
-
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe75⤵PID:1960
-
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe76⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe77⤵PID:1260
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe79⤵PID:3004
-
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe80⤵PID:1076
-
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe81⤵PID:1928
-
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe82⤵PID:2248
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe83⤵PID:1940
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe84⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe85⤵PID:1032
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe86⤵PID:2492
-
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe87⤵PID:2672
-
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe88⤵PID:2812
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe89⤵PID:2736
-
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe90⤵PID:3036
-
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe91⤵PID:1568
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe92⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe93⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe94⤵PID:3044
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe95⤵PID:1536
-
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe96⤵PID:616
-
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe97⤵PID:1044
-
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe98⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe99⤵PID:1460
-
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe100⤵PID:868
-
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe101⤵PID:552
-
C:\Windows\SysWOW64\Qgeckn32.exeC:\Windows\system32\Qgeckn32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe104⤵PID:348
-
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe105⤵PID:2084
-
C:\Windows\SysWOW64\Abodlk32.exeC:\Windows\system32\Abodlk32.exe106⤵PID:1836
-
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe107⤵PID:3048
-
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe108⤵PID:920
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe109⤵PID:2152
-
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe110⤵
- Drops file in System32 directory
PID:744 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe111⤵PID:1900
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe112⤵PID:352
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe113⤵PID:1112
-
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe114⤵PID:2796
-
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe115⤵PID:2732
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe116⤵PID:2424
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe117⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe118⤵PID:2460
-
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe119⤵PID:2936
-
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe120⤵PID:1884
-
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-