Analysis
-
max time kernel
116s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 22:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6f2948148f80c2baf3cdc75b22f74b0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6f2948148f80c2baf3cdc75b22f74b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d6f2948148f80c2baf3cdc75b22f74b0N.exe
-
Size
128KB
-
MD5
d6f2948148f80c2baf3cdc75b22f74b0
-
SHA1
c7aa4ce35cdf91bb677ad04ad1687445b4f76397
-
SHA256
ba0875743307793dd306f0e964b0332b91b39d8ce6d188118cf7b0082af7eec3
-
SHA512
86c95a39a851ce73979c1c926cdc7bea4d2e08846b8bd51701162a14e6847e82239e8db08b3f731e397717370106986794c23e8ddc9183a84e1ef6bc4513440f
-
SSDEEP
3072:jHcBmHDHRpm7jiAeZQItxFU6UK7q4+5DbGTO6GQd3JSZO5b:jHdHLRpaubOIXe6UK+42GTQMJSZO5b
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nimccigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmikakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opfdfmka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plakep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekddlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npqhbdgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfimem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoagf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdkdmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhhdoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qimifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmpmaqaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghemnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giifkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqcafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhklknmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okdoajck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgephne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmefhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjajnlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baloce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkhhigb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmdpjjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflobnlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocoamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odbgqaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplapn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljddaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqjfoblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbijkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkflmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dncmaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjjilho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkafacof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbemeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddcgmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifaogdla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojecaoga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hipodl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokdiahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfjbhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfhljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmfikdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illkjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfdfmka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpcjpek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ododal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagcom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecfpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkmpobj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbhkplc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abogpiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clgcfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogejocjq.exe -
Executes dropped EXE 64 IoCs
pid Process 1748 Aekgfdpj.exe 2892 Abogpiod.exe 2720 Aofhejdh.exe 2748 Aepqac32.exe 2836 Bllednao.exe 2764 Bnnblfgm.exe 2656 Bomneh32.exe 1020 Bhecnndq.exe 2416 Bnbkgech.exe 2660 Cfbifgln.exe 1956 Cbijkh32.exe 1816 Comkdl32.exe 1300 Clqknppe.exe 1712 Cdlpbbmp.exe 2140 Dkhedlbj.exe 2072 Djnafi32.exe 968 Dcffonnc.exe 1316 Domgcocg.exe 1696 Djbkahcm.exe 1736 Dcjpjn32.exe 1488 Ecmlomgk.exe 316 Eenige32.exe 748 Elhacpef.exe 680 Eilamd32.exe 612 Elmjoo32.exe 660 Eeeogdga.exe 1668 Fcjliali.exe 2144 Fmbpaf32.exe 3060 Fhhdoo32.exe 2816 Faqihe32.exe 2832 Fjinqjpq.exe 2608 Fbfojl32.exe 2076 Gicdmfpc.exe 2664 Gejdagfg.exe 1052 Gmeificb.exe 2680 Gkkfem32.exe 2792 Gphomd32.exe 2364 Hpmhhcjk.exe 2960 Heiaqjhc.exe 976 Idedbf32.exe 2080 Iqldgg32.exe 928 Ifljem32.exe 2316 Icpjoahe.exe 2944 Jofkcb32.exe 1976 Jioplhdj.exe 1596 Jbgdenjj.exe 2320 Jmmhbfjq.exe 2124 Jicigg32.exe 876 Jomadaga.exe 2512 Jifemgnb.exe 2216 Jbnjfm32.exe 2228 Kcofnejq.exe 2176 Kmhkfj32.exe 2864 Kmjhljoo.exe 2592 Kfblep32.exe 2576 Kahqbh32.exe 1304 Kfeijocl.exe 1328 Kbljop32.exe 3032 Lppjid32.exe 1740 Llfkne32.exe 2484 Lbpcjpek.exe 1100 Lpdcddde.exe 1640 Limhmije.exe 2472 Lbemeo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1088 d6f2948148f80c2baf3cdc75b22f74b0N.exe 1088 d6f2948148f80c2baf3cdc75b22f74b0N.exe 1748 Aekgfdpj.exe 1748 Aekgfdpj.exe 2892 Abogpiod.exe 2892 Abogpiod.exe 2720 Aofhejdh.exe 2720 Aofhejdh.exe 2748 Aepqac32.exe 2748 Aepqac32.exe 2836 Bllednao.exe 2836 Bllednao.exe 2764 Bnnblfgm.exe 2764 Bnnblfgm.exe 2656 Bomneh32.exe 2656 Bomneh32.exe 1020 Bhecnndq.exe 1020 Bhecnndq.exe 2416 Bnbkgech.exe 2416 Bnbkgech.exe 2660 Cfbifgln.exe 2660 Cfbifgln.exe 1956 Cbijkh32.exe 1956 Cbijkh32.exe 1816 Comkdl32.exe 1816 Comkdl32.exe 1300 Clqknppe.exe 1300 Clqknppe.exe 1712 Cdlpbbmp.exe 1712 Cdlpbbmp.exe 2140 Dkhedlbj.exe 2140 Dkhedlbj.exe 2072 Djnafi32.exe 2072 Djnafi32.exe 968 Dcffonnc.exe 968 Dcffonnc.exe 1316 Domgcocg.exe 1316 Domgcocg.exe 1696 Djbkahcm.exe 1696 Djbkahcm.exe 1736 Dcjpjn32.exe 1736 Dcjpjn32.exe 1488 Ecmlomgk.exe 1488 Ecmlomgk.exe 316 Eenige32.exe 316 Eenige32.exe 748 Elhacpef.exe 748 Elhacpef.exe 680 Eilamd32.exe 680 Eilamd32.exe 612 Elmjoo32.exe 612 Elmjoo32.exe 660 Eeeogdga.exe 660 Eeeogdga.exe 1668 Fcjliali.exe 1668 Fcjliali.exe 2144 Fmbpaf32.exe 2144 Fmbpaf32.exe 3060 Fhhdoo32.exe 3060 Fhhdoo32.exe 2816 Faqihe32.exe 2816 Faqihe32.exe 2832 Fjinqjpq.exe 2832 Fjinqjpq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enhckdnk.exe Ecbonloe.exe File opened for modification C:\Windows\SysWOW64\Hdlmjicf.exe Hmbdnp32.exe File opened for modification C:\Windows\SysWOW64\Aekgfdpj.exe d6f2948148f80c2baf3cdc75b22f74b0N.exe File created C:\Windows\SysWOW64\Edkegplp.exe Dkcqnj32.exe File created C:\Windows\SysWOW64\Pmgebnqf.dll Fqoacfjk.exe File opened for modification C:\Windows\SysWOW64\Bfieccco.exe Balmjmeh.exe File created C:\Windows\SysWOW64\Cmhicfnk.exe Chkqko32.exe File created C:\Windows\SysWOW64\Ihmkif32.exe Iflobnlk.exe File created C:\Windows\SysWOW64\Bbjcpoeb.dll Nhajbc32.exe File opened for modification C:\Windows\SysWOW64\Agdnkm32.exe Aqjfoblc.exe File created C:\Windows\SysWOW64\Chkqko32.exe Cjgpak32.exe File created C:\Windows\SysWOW64\Dlnjfoml.dll Fbfojl32.exe File opened for modification C:\Windows\SysWOW64\Mdplcfoi.exe Mijgfmoc.exe File opened for modification C:\Windows\SysWOW64\Jhobea32.exe Jcbimj32.exe File created C:\Windows\SysWOW64\Bidnoiqj.exe Biaaii32.exe File opened for modification C:\Windows\SysWOW64\Dahbhmhf.exe Dojelbib.exe File created C:\Windows\SysWOW64\Nfkcgg32.exe Nleojofn.exe File created C:\Windows\SysWOW64\Lpehdl32.dll Kkopkigo.exe File created C:\Windows\SysWOW64\Njcjaj32.dll Ncibpaol.exe File opened for modification C:\Windows\SysWOW64\Ckcdof32.exe Cdilbl32.exe File opened for modification C:\Windows\SysWOW64\Gmleqnbc.exe Fmjikndf.exe File created C:\Windows\SysWOW64\Gcomafnh.exe Glgephne.exe File opened for modification C:\Windows\SysWOW64\Diepifmg.exe Copllmna.exe File opened for modification C:\Windows\SysWOW64\Aibejf32.exe Aedldh32.exe File created C:\Windows\SysWOW64\Adpmmj32.exe Ajgidejf.exe File created C:\Windows\SysWOW64\Fhokki32.dll Bbeemi32.exe File created C:\Windows\SysWOW64\Ncfgmf32.dll Abogpiod.exe File created C:\Windows\SysWOW64\Jigfna32.dll Fgkcmg32.exe File created C:\Windows\SysWOW64\Fqoacfjk.exe Fkbhkplc.exe File created C:\Windows\SysWOW64\Gebgffgf.dll Ddchlj32.exe File created C:\Windows\SysWOW64\Lfjdnggk.exe Lifdec32.exe File created C:\Windows\SysWOW64\Gjdpfp32.dll Nagdna32.exe File created C:\Windows\SysWOW64\Fcbfka32.exe Fkdeao32.exe File opened for modification C:\Windows\SysWOW64\Bllednao.exe Aepqac32.exe File created C:\Windows\SysWOW64\Peaagl32.exe Oodioe32.exe File opened for modification C:\Windows\SysWOW64\Pjceck32.exe Pahqoi32.exe File created C:\Windows\SysWOW64\Fqldek32.dll Hjcagnii.exe File created C:\Windows\SysWOW64\Mkaqok32.dll Kcofnejq.exe File created C:\Windows\SysWOW64\Gliomp32.exe Gbakdjnn.exe File created C:\Windows\SysWOW64\Nhlmfg32.exe Npqhbdgc.exe File created C:\Windows\SysWOW64\Qcpgej32.dll Qmigpe32.exe File opened for modification C:\Windows\SysWOW64\Nobpjbcn.exe Nhhgmh32.exe File opened for modification C:\Windows\SysWOW64\Omofbk32.exe Oddanh32.exe File opened for modification C:\Windows\SysWOW64\Cddcgmom.exe Cklnog32.exe File opened for modification C:\Windows\SysWOW64\Kfeijocl.exe Kahqbh32.exe File opened for modification C:\Windows\SysWOW64\Alhnag32.exe Acmimdon.exe File created C:\Windows\SysWOW64\Giglnm32.exe Gcjcff32.exe File opened for modification C:\Windows\SysWOW64\Adceja32.exe Qdaidbha.exe File created C:\Windows\SysWOW64\Ekhclh32.exe Eflkda32.exe File created C:\Windows\SysWOW64\Epbhdi32.exe Ehgcpglm.exe File created C:\Windows\SysWOW64\Jchlkh32.exe Jjpgbbnq.exe File created C:\Windows\SysWOW64\Cgbochop.exe Cddcgmom.exe File opened for modification C:\Windows\SysWOW64\Efpdoqjm.exe Ekkpbhjg.exe File opened for modification C:\Windows\SysWOW64\Cfbjbk32.exe Clmfdb32.exe File opened for modification C:\Windows\SysWOW64\Jifemgnb.exe Jomadaga.exe File created C:\Windows\SysWOW64\Goomcc32.dll Menekhco.exe File created C:\Windows\SysWOW64\Feqlnaic.dll Ocoamc32.exe File created C:\Windows\SysWOW64\Lombkpja.dll Injplp32.exe File created C:\Windows\SysWOW64\Kmgdld32.exe Kocdbp32.exe File created C:\Windows\SysWOW64\Lpjfbb32.exe Ljmnjkmh.exe File created C:\Windows\SysWOW64\Dngcjp32.exe Deloen32.exe File created C:\Windows\SysWOW64\Agblkhpc.dll Ioinchpo.exe File opened for modification C:\Windows\SysWOW64\Ceoffq32.exe Bhkeml32.exe File created C:\Windows\SysWOW64\Finfml32.dll Mijjof32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4328 2716 WerFault.exe 551 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldagoib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlmjicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejdagfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqfoeng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlllb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Commmdhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdcjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijgfmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiofln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnphadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkbkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Comkdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfnceik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejjiifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpgbbnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngfhibc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkmpobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgiodb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkihlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlmfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dccega32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekgfdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcgcfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjkbnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meakdgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abogpiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domgcocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbochop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdmdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgkcmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbdbhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoffq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balmjmeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmekdanq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqqqamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behpeaqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghppaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmlcae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppjid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojompp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjfofme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmefnqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copllmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjinqjpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcofnejq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gliomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdinla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocoamc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokdiahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmefhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eilamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qimifn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhicho32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdplcfoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqldgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icpjoahe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdmgnke.dll" Dnnijocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlannoh.dll" Nfdmgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmjnlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akojiaoc.dll" Pielki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhdoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjpgbbnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqjfoblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjae32.dll" Dddjdcfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbfcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqollol.dll" Hfofca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijopme32.dll" Ihmkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nleojofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jifemgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehkjm32.dll" Ajdedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achclf32.dll" Pkkicfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbogemj.dll" Hjneceek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfepe32.dll" Fkhiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdhnhpa.dll" Kcaoag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idieigdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckommp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnnblfgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodepf32.dll" Gmeificb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifejlha.dll" Njlqkpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiimkm32.dll" Mihmifhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkcpgom.dll" Aamjoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmiaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caieijfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifaogdla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijgfmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojompp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdaidbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} d6f2948148f80c2baf3cdc75b22f74b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcajgh32.dll" Gacdeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkoobqao.dll" Domgcocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geddla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioaknmnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnipop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cghkgqbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcahbaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgjfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflgojaf.dll" Bceiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcmagkk.dll" Ilqdejhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcmefhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iimgci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfkbhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meljna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmhkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapligma.dll" Mhddln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihmifhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilqdejhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfgjbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbamd32.dll" Pknfif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpcmbbe.dll" Qpgachdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkamai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfdad32.dll" Gejdagfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocnhjdnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadnnnqo.dll" Okdoajck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdpjjgi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1748 1088 d6f2948148f80c2baf3cdc75b22f74b0N.exe 29 PID 1088 wrote to memory of 1748 1088 d6f2948148f80c2baf3cdc75b22f74b0N.exe 29 PID 1088 wrote to memory of 1748 1088 d6f2948148f80c2baf3cdc75b22f74b0N.exe 29 PID 1088 wrote to memory of 1748 1088 d6f2948148f80c2baf3cdc75b22f74b0N.exe 29 PID 1748 wrote to memory of 2892 1748 Aekgfdpj.exe 30 PID 1748 wrote to memory of 2892 1748 Aekgfdpj.exe 30 PID 1748 wrote to memory of 2892 1748 Aekgfdpj.exe 30 PID 1748 wrote to memory of 2892 1748 Aekgfdpj.exe 30 PID 2892 wrote to memory of 2720 2892 Abogpiod.exe 31 PID 2892 wrote to memory of 2720 2892 Abogpiod.exe 31 PID 2892 wrote to memory of 2720 2892 Abogpiod.exe 31 PID 2892 wrote to memory of 2720 2892 Abogpiod.exe 31 PID 2720 wrote to memory of 2748 2720 Aofhejdh.exe 32 PID 2720 wrote to memory of 2748 2720 Aofhejdh.exe 32 PID 2720 wrote to memory of 2748 2720 Aofhejdh.exe 32 PID 2720 wrote to memory of 2748 2720 Aofhejdh.exe 32 PID 2748 wrote to memory of 2836 2748 Aepqac32.exe 33 PID 2748 wrote to memory of 2836 2748 Aepqac32.exe 33 PID 2748 wrote to memory of 2836 2748 Aepqac32.exe 33 PID 2748 wrote to memory of 2836 2748 Aepqac32.exe 33 PID 2836 wrote to memory of 2764 2836 Bllednao.exe 34 PID 2836 wrote to memory of 2764 2836 Bllednao.exe 34 PID 2836 wrote to memory of 2764 2836 Bllednao.exe 34 PID 2836 wrote to memory of 2764 2836 Bllednao.exe 34 PID 2764 wrote to memory of 2656 2764 Bnnblfgm.exe 35 PID 2764 wrote to memory of 2656 2764 Bnnblfgm.exe 35 PID 2764 wrote to memory of 2656 2764 Bnnblfgm.exe 35 PID 2764 wrote to memory of 2656 2764 Bnnblfgm.exe 35 PID 2656 wrote to memory of 1020 2656 Bomneh32.exe 36 PID 2656 wrote to memory of 1020 2656 Bomneh32.exe 36 PID 2656 wrote to memory of 1020 2656 Bomneh32.exe 36 PID 2656 wrote to memory of 1020 2656 Bomneh32.exe 36 PID 1020 wrote to memory of 2416 1020 Bhecnndq.exe 37 PID 1020 wrote to memory of 2416 1020 Bhecnndq.exe 37 PID 1020 wrote to memory of 2416 1020 Bhecnndq.exe 37 PID 1020 wrote to memory of 2416 1020 Bhecnndq.exe 37 PID 2416 wrote to memory of 2660 2416 Bnbkgech.exe 38 PID 2416 wrote to memory of 2660 2416 Bnbkgech.exe 38 PID 2416 wrote to memory of 2660 2416 Bnbkgech.exe 38 PID 2416 wrote to memory of 2660 2416 Bnbkgech.exe 38 PID 2660 wrote to memory of 1956 2660 Cfbifgln.exe 39 PID 2660 wrote to memory of 1956 2660 Cfbifgln.exe 39 PID 2660 wrote to memory of 1956 2660 Cfbifgln.exe 39 PID 2660 wrote to memory of 1956 2660 Cfbifgln.exe 39 PID 1956 wrote to memory of 1816 1956 Cbijkh32.exe 40 PID 1956 wrote to memory of 1816 1956 Cbijkh32.exe 40 PID 1956 wrote to memory of 1816 1956 Cbijkh32.exe 40 PID 1956 wrote to memory of 1816 1956 Cbijkh32.exe 40 PID 1816 wrote to memory of 1300 1816 Comkdl32.exe 41 PID 1816 wrote to memory of 1300 1816 Comkdl32.exe 41 PID 1816 wrote to memory of 1300 1816 Comkdl32.exe 41 PID 1816 wrote to memory of 1300 1816 Comkdl32.exe 41 PID 1300 wrote to memory of 1712 1300 Clqknppe.exe 42 PID 1300 wrote to memory of 1712 1300 Clqknppe.exe 42 PID 1300 wrote to memory of 1712 1300 Clqknppe.exe 42 PID 1300 wrote to memory of 1712 1300 Clqknppe.exe 42 PID 1712 wrote to memory of 2140 1712 Cdlpbbmp.exe 43 PID 1712 wrote to memory of 2140 1712 Cdlpbbmp.exe 43 PID 1712 wrote to memory of 2140 1712 Cdlpbbmp.exe 43 PID 1712 wrote to memory of 2140 1712 Cdlpbbmp.exe 43 PID 2140 wrote to memory of 2072 2140 Dkhedlbj.exe 44 PID 2140 wrote to memory of 2072 2140 Dkhedlbj.exe 44 PID 2140 wrote to memory of 2072 2140 Dkhedlbj.exe 44 PID 2140 wrote to memory of 2072 2140 Dkhedlbj.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6f2948148f80c2baf3cdc75b22f74b0N.exe"C:\Users\Admin\AppData\Local\Temp\d6f2948148f80c2baf3cdc75b22f74b0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Aekgfdpj.exeC:\Windows\system32\Aekgfdpj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Abogpiod.exeC:\Windows\system32\Abogpiod.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Aofhejdh.exeC:\Windows\system32\Aofhejdh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Aepqac32.exeC:\Windows\system32\Aepqac32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Bllednao.exeC:\Windows\system32\Bllednao.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Bnnblfgm.exeC:\Windows\system32\Bnnblfgm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Bomneh32.exeC:\Windows\system32\Bomneh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bhecnndq.exeC:\Windows\system32\Bhecnndq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Bnbkgech.exeC:\Windows\system32\Bnbkgech.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Cfbifgln.exeC:\Windows\system32\Cfbifgln.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Cbijkh32.exeC:\Windows\system32\Cbijkh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Comkdl32.exeC:\Windows\system32\Comkdl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Clqknppe.exeC:\Windows\system32\Clqknppe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Cdlpbbmp.exeC:\Windows\system32\Cdlpbbmp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Dkhedlbj.exeC:\Windows\system32\Dkhedlbj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Djnafi32.exeC:\Windows\system32\Djnafi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Dcffonnc.exeC:\Windows\system32\Dcffonnc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Domgcocg.exeC:\Windows\system32\Domgcocg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Djbkahcm.exeC:\Windows\system32\Djbkahcm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Dcjpjn32.exeC:\Windows\system32\Dcjpjn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Ecmlomgk.exeC:\Windows\system32\Ecmlomgk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Eenige32.exeC:\Windows\system32\Eenige32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Elhacpef.exeC:\Windows\system32\Elhacpef.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Eilamd32.exeC:\Windows\system32\Eilamd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Elmjoo32.exeC:\Windows\system32\Elmjoo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Eeeogdga.exeC:\Windows\system32\Eeeogdga.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Fcjliali.exeC:\Windows\system32\Fcjliali.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Fmbpaf32.exeC:\Windows\system32\Fmbpaf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Fhhdoo32.exeC:\Windows\system32\Fhhdoo32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Faqihe32.exeC:\Windows\system32\Faqihe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Fjinqjpq.exeC:\Windows\system32\Fjinqjpq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Fbfojl32.exeC:\Windows\system32\Fbfojl32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Gicdmfpc.exeC:\Windows\system32\Gicdmfpc.exe34⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Gejdagfg.exeC:\Windows\system32\Gejdagfg.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Gmeificb.exeC:\Windows\system32\Gmeificb.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Gkkfem32.exeC:\Windows\system32\Gkkfem32.exe37⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Gphomd32.exeC:\Windows\system32\Gphomd32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Hpmhhcjk.exeC:\Windows\system32\Hpmhhcjk.exe39⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Heiaqjhc.exeC:\Windows\system32\Heiaqjhc.exe40⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Idedbf32.exeC:\Windows\system32\Idedbf32.exe41⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Iqldgg32.exeC:\Windows\system32\Iqldgg32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ifljem32.exeC:\Windows\system32\Ifljem32.exe43⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Icpjoahe.exeC:\Windows\system32\Icpjoahe.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Jofkcb32.exeC:\Windows\system32\Jofkcb32.exe45⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jioplhdj.exeC:\Windows\system32\Jioplhdj.exe46⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Jbgdenjj.exeC:\Windows\system32\Jbgdenjj.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Jmmhbfjq.exeC:\Windows\system32\Jmmhbfjq.exe48⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Jicigg32.exeC:\Windows\system32\Jicigg32.exe49⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Jomadaga.exeC:\Windows\system32\Jomadaga.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Jifemgnb.exeC:\Windows\system32\Jifemgnb.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Jbnjfm32.exeC:\Windows\system32\Jbnjfm32.exe52⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Kcofnejq.exeC:\Windows\system32\Kcofnejq.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Kmhkfj32.exeC:\Windows\system32\Kmhkfj32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Kmjhljoo.exeC:\Windows\system32\Kmjhljoo.exe55⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kfblep32.exeC:\Windows\system32\Kfblep32.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Kahqbh32.exeC:\Windows\system32\Kahqbh32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Kfeijocl.exeC:\Windows\system32\Kfeijocl.exe58⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Kbljop32.exeC:\Windows\system32\Kbljop32.exe59⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Lppjid32.exeC:\Windows\system32\Lppjid32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Llfkne32.exeC:\Windows\system32\Llfkne32.exe61⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lbpcjpek.exeC:\Windows\system32\Lbpcjpek.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Lpdcddde.exeC:\Windows\system32\Lpdcddde.exe63⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Limhmije.exeC:\Windows\system32\Limhmije.exe64⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Lbemeo32.exeC:\Windows\system32\Lbemeo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ldfimggd.exeC:\Windows\system32\Ldfimggd.exe66⤵PID:944
-
C:\Windows\SysWOW64\Lmomfm32.exeC:\Windows\system32\Lmomfm32.exe67⤵PID:1724
-
C:\Windows\SysWOW64\Mhdace32.exeC:\Windows\system32\Mhdace32.exe68⤵PID:784
-
C:\Windows\SysWOW64\Malflk32.exeC:\Windows\system32\Malflk32.exe69⤵PID:2212
-
C:\Windows\SysWOW64\Mgiodb32.exeC:\Windows\system32\Mgiodb32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Mpacmghc.exeC:\Windows\system32\Mpacmghc.exe71⤵PID:1772
-
C:\Windows\SysWOW64\Mijgfmoc.exeC:\Windows\system32\Mijgfmoc.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Mdplcfoi.exeC:\Windows\system32\Mdplcfoi.exe73⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Mmhplk32.exeC:\Windows\system32\Mmhplk32.exe74⤵PID:1620
-
C:\Windows\SysWOW64\Mceidb32.exeC:\Windows\system32\Mceidb32.exe75⤵PID:2756
-
C:\Windows\SysWOW64\Ncgejbao.exeC:\Windows\system32\Ncgejbao.exe76⤵PID:1516
-
C:\Windows\SysWOW64\Nlojcg32.exeC:\Windows\system32\Nlojcg32.exe77⤵PID:1756
-
C:\Windows\SysWOW64\Ncibpaol.exeC:\Windows\system32\Ncibpaol.exe78⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Ndkogj32.exeC:\Windows\system32\Ndkogj32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Nopcdbep.exeC:\Windows\system32\Nopcdbep.exe80⤵PID:604
-
C:\Windows\SysWOW64\Nhhgmh32.exeC:\Windows\system32\Nhhgmh32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Nobpjbcn.exeC:\Windows\system32\Nobpjbcn.exe82⤵PID:972
-
C:\Windows\SysWOW64\Njlqkpol.exeC:\Windows\system32\Njlqkpol.exe83⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Ndaehi32.exeC:\Windows\system32\Ndaehi32.exe84⤵PID:1056
-
C:\Windows\SysWOW64\Ojompp32.exeC:\Windows\system32\Ojompp32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Oddanh32.exeC:\Windows\system32\Oddanh32.exe86⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Omofbk32.exeC:\Windows\system32\Omofbk32.exe87⤵PID:2544
-
C:\Windows\SysWOW64\Ogejocjq.exeC:\Windows\system32\Ogejocjq.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Oclkdd32.exeC:\Windows\system32\Oclkdd32.exe89⤵PID:1524
-
C:\Windows\SysWOW64\Ojecaoga.exeC:\Windows\system32\Ojecaoga.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Ocnhjdnb.exeC:\Windows\system32\Ocnhjdnb.exe91⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ododal32.exeC:\Windows\system32\Ododal32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Oodioe32.exeC:\Windows\system32\Oodioe32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Peaagl32.exeC:\Windows\system32\Peaagl32.exe94⤵PID:2772
-
C:\Windows\SysWOW64\Pkkicfik.exeC:\Windows\system32\Pkkicfik.exe95⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pqhblm32.exeC:\Windows\system32\Pqhblm32.exe96⤵PID:2372
-
C:\Windows\SysWOW64\Pknfif32.exeC:\Windows\system32\Pknfif32.exe97⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Pefjbknh.exeC:\Windows\system32\Pefjbknh.exe98⤵PID:1520
-
C:\Windows\SysWOW64\Pnooka32.exeC:\Windows\system32\Pnooka32.exe99⤵PID:1444
-
C:\Windows\SysWOW64\Pggcdf32.exeC:\Windows\system32\Pggcdf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:744 -
C:\Windows\SysWOW64\Pnalqqbf.exeC:\Windows\system32\Pnalqqbf.exe101⤵PID:2324
-
C:\Windows\SysWOW64\Pcndigpn.exeC:\Windows\system32\Pcndigpn.exe102⤵PID:2732
-
C:\Windows\SysWOW64\Pjhlea32.exeC:\Windows\system32\Pjhlea32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Qcpang32.exeC:\Windows\system32\Qcpang32.exe104⤵PID:2256
-
C:\Windows\SysWOW64\Qimifn32.exeC:\Windows\system32\Qimifn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Qpgachdo.exeC:\Windows\system32\Qpgachdo.exe106⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Aiofln32.exeC:\Windows\system32\Aiofln32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Anlodd32.exeC:\Windows\system32\Anlodd32.exe108⤵PID:848
-
C:\Windows\SysWOW64\Admqhk32.exeC:\Windows\system32\Admqhk32.exe109⤵PID:1320
-
C:\Windows\SysWOW64\Ajgidejf.exeC:\Windows\system32\Ajgidejf.exe110⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Adpmmj32.exeC:\Windows\system32\Adpmmj32.exe111⤵PID:1376
-
C:\Windows\SysWOW64\Bfqfoeng.exeC:\Windows\system32\Bfqfoeng.exe112⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Bmjnlp32.exeC:\Windows\system32\Bmjnlp32.exe113⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Bddfhjma.exeC:\Windows\system32\Bddfhjma.exe114⤵PID:2208
-
C:\Windows\SysWOW64\Bkooed32.exeC:\Windows\system32\Bkooed32.exe115⤵PID:2684
-
C:\Windows\SysWOW64\Blpkmljl.exeC:\Windows\system32\Blpkmljl.exe116⤵PID:2896
-
C:\Windows\SysWOW64\Behpeaqm.exeC:\Windows\system32\Behpeaqm.exe117⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\Bejlkaoj.exeC:\Windows\system32\Bejlkaoj.exe118⤵PID:2600
-
C:\Windows\SysWOW64\Baampb32.exeC:\Windows\system32\Baampb32.exe119⤵PID:2780
-
C:\Windows\SysWOW64\Bhkeml32.exeC:\Windows\system32\Bhkeml32.exe120⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ceoffq32.exeC:\Windows\system32\Ceoffq32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-