Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 02:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe
-
Size
59KB
-
MD5
584a03bb6024c765a46723bfc920658b
-
SHA1
39ca9c420b6c33335f323c3176bf1868d4d16b46
-
SHA256
e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308
-
SHA512
f7bf6e87becb043abe9322188c8c53b8998de3f74a2eb33b12f58a697529cbf3692ee1d8b6e6e75c8f71bd352a399de50e6964b7e691c35078c2420fecca5c50
-
SSDEEP
768:xd+CCInW9OA7hoSWWz7BHhhSbBg1egtxsFNjZ/1H5W5nf1fZMEBFELvkVgFRo:bPCqQbhdBHnSbaeQsnUNCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbpnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimoloog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnnai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpkbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigafnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akeijlfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbopmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojojl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affdle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecfldoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejfao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkpahon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnckjddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfaopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfihkoal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbkipok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadimacd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpogbgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcpei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclbcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdjccf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoohekal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadimacd.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Meffhnal.exe 2296 Mcifdj32.exe 2904 Mnojacgm.exe 2816 Mamgmofp.exe 2964 Mfjoeeeh.exe 2656 Mmdgbp32.exe 1732 Mcnpojca.exe 1844 Mjhhld32.exe 1256 Mabphn32.exe 2860 Mdpldi32.exe 1780 Mfoiqe32.exe 2680 Mjjdacik.exe 1228 Mlkail32.exe 2116 Mdbiji32.exe 844 Mfaefd32.exe 2232 Nlnnnk32.exe 836 Noljjglk.exe 1516 Nfcbldmm.exe 1592 Nianhplq.exe 396 Nlpkdkkd.exe 1536 Noogpfjh.exe 908 Nehomq32.exe 2084 Nidkmojn.exe 800 Noacef32.exe 2264 Naopaa32.exe 1576 Neklbppb.exe 2796 Nkhdkgnj.exe 2908 Nemhhpmp.exe 2980 Nhlddkmc.exe 2844 Nkjapglg.exe 2608 Nadimacd.exe 2244 Ohnaik32.exe 1808 Oklnff32.exe 1084 Oionacqo.exe 1036 Ocgbji32.exe 660 Oiakgcnl.exe 2572 Olpgconp.exe 764 Odgodl32.exe 1176 Ogekpg32.exe 1432 Oidglb32.exe 2072 Olbchn32.exe 2592 Opnpimdf.exe 952 Oghhfg32.exe 2332 Oifdbb32.exe 1400 Opplolac.exe 788 Ocohkh32.exe 2560 Oaaifdhb.exe 1628 Ohkaco32.exe 2464 Poeipifl.exe 2064 Pcaepg32.exe 2516 Peoalc32.exe 2260 Pkljdj32.exe 2884 Pohfehdi.exe 2764 Pafbadcm.exe 2748 Peanbblf.exe 2628 Pddnnp32.exe 1248 Phpjnnki.exe 1048 Pgckjk32.exe 1280 Pojbkh32.exe 2864 Pahogc32.exe 2580 Pdgkco32.exe 588 Phbgcnig.exe 1240 Pgegok32.exe 1372 Pkacpihj.exe -
Loads dropped DLL 64 IoCs
pid Process 2972 e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe 2972 e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe 2356 Meffhnal.exe 2356 Meffhnal.exe 2296 Mcifdj32.exe 2296 Mcifdj32.exe 2904 Mnojacgm.exe 2904 Mnojacgm.exe 2816 Mamgmofp.exe 2816 Mamgmofp.exe 2964 Mfjoeeeh.exe 2964 Mfjoeeeh.exe 2656 Mmdgbp32.exe 2656 Mmdgbp32.exe 1732 Mcnpojca.exe 1732 Mcnpojca.exe 1844 Mjhhld32.exe 1844 Mjhhld32.exe 1256 Mabphn32.exe 1256 Mabphn32.exe 2860 Mdpldi32.exe 2860 Mdpldi32.exe 1780 Mfoiqe32.exe 1780 Mfoiqe32.exe 2680 Mjjdacik.exe 2680 Mjjdacik.exe 1228 Mlkail32.exe 1228 Mlkail32.exe 2116 Mdbiji32.exe 2116 Mdbiji32.exe 844 Mfaefd32.exe 844 Mfaefd32.exe 2232 Nlnnnk32.exe 2232 Nlnnnk32.exe 836 Noljjglk.exe 836 Noljjglk.exe 1516 Nfcbldmm.exe 1516 Nfcbldmm.exe 1592 Nianhplq.exe 1592 Nianhplq.exe 396 Nlpkdkkd.exe 396 Nlpkdkkd.exe 1536 Noogpfjh.exe 1536 Noogpfjh.exe 908 Nehomq32.exe 908 Nehomq32.exe 2084 Nidkmojn.exe 2084 Nidkmojn.exe 800 Noacef32.exe 800 Noacef32.exe 2264 Naopaa32.exe 2264 Naopaa32.exe 1576 Neklbppb.exe 1576 Neklbppb.exe 2796 Nkhdkgnj.exe 2796 Nkhdkgnj.exe 2908 Nemhhpmp.exe 2908 Nemhhpmp.exe 2980 Nhlddkmc.exe 2980 Nhlddkmc.exe 2844 Nkjapglg.exe 2844 Nkjapglg.exe 2608 Nadimacd.exe 2608 Nadimacd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nfahomfd.exe Nbflno32.exe File created C:\Windows\SysWOW64\Mcifdj32.exe Meffhnal.exe File created C:\Windows\SysWOW64\Ljghjpfe.exe Lghlndfa.exe File opened for modification C:\Windows\SysWOW64\Fcphnm32.exe Fdmhbplb.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Amaelomh.exe File created C:\Windows\SysWOW64\Gigqol32.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Agjobffl.exe File created C:\Windows\SysWOW64\Dicnkdnf.exe Dpkibo32.exe File created C:\Windows\SysWOW64\Ffjaickl.dll Elfcbo32.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Elkmmodo.exe File created C:\Windows\SysWOW64\Iocnkj32.dll Mnmpdlac.exe File created C:\Windows\SysWOW64\Onffhdlh.dll Pecgea32.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Meffhnal.exe e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe File opened for modification C:\Windows\SysWOW64\Iipiljgf.exe Ijmipn32.exe File opened for modification C:\Windows\SysWOW64\Klehgh32.exe Knbhlkkc.exe File created C:\Windows\SysWOW64\Jmiacp32.dll Mdiefffn.exe File created C:\Windows\SysWOW64\Gpihdl32.dll Lcofio32.exe File created C:\Windows\SysWOW64\Eibkmp32.dll Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe File created C:\Windows\SysWOW64\Kkdonaop.dll Pkljdj32.exe File opened for modification C:\Windows\SysWOW64\Fcmben32.exe Foafdoag.exe File created C:\Windows\SysWOW64\Doecog32.exe Dlfgcl32.exe File opened for modification C:\Windows\SysWOW64\Pojbkh32.exe Pgckjk32.exe File created C:\Windows\SysWOW64\Qifmdk32.dll Pahogc32.exe File created C:\Windows\SysWOW64\Agngji32.dll Kpcqnf32.exe File opened for modification C:\Windows\SysWOW64\Lgmeid32.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Hofpgamj.dll Ihniaa32.exe File opened for modification C:\Windows\SysWOW64\Aojabdlf.exe Apgagg32.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pgfjhcge.exe File created C:\Windows\SysWOW64\Hopjqipp.dll Ohfqmi32.exe File opened for modification C:\Windows\SysWOW64\Mnaiol32.exe Mjfnomde.exe File created C:\Windows\SysWOW64\Akafaiao.dll Nenkqi32.exe File created C:\Windows\SysWOW64\Aldhcb32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Nbhbjgmd.dll Aboaff32.exe File created C:\Windows\SysWOW64\Cedpbd32.exe Caidaeak.exe File created C:\Windows\SysWOW64\Pbbldf32.dll Elnqmd32.exe File created C:\Windows\SysWOW64\Phmaeh32.dll Nigafnck.exe File opened for modification C:\Windows\SysWOW64\Mdiefffn.exe Mmbmeifk.exe File created C:\Windows\SysWOW64\Fnndbd32.dll Fdnolfon.exe File opened for modification C:\Windows\SysWOW64\Nigafnck.exe Njdqka32.exe File created C:\Windows\SysWOW64\Qobbofgn.exe Pldebkhj.exe File created C:\Windows\SysWOW64\Djidckbd.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Fdkehipd.dll Fcbecl32.exe File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Lqncaj32.exe File opened for modification C:\Windows\SysWOW64\Agolnbok.exe Accqnc32.exe File created C:\Windows\SysWOW64\Degiggjm.exe Dakmfh32.exe File created C:\Windows\SysWOW64\Maefamlh.exe Mjkndb32.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lnpgeopa.exe Lomgjb32.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Jjplgd32.dll Ihmpobck.exe File opened for modification C:\Windows\SysWOW64\Mmbmeifk.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Coacbfii.exe Process not Found File created C:\Windows\SysWOW64\Epecbd32.exe Eabcggll.exe File opened for modification C:\Windows\SysWOW64\Ejloak32.dll Jmhnkfpa.exe File opened for modification C:\Windows\SysWOW64\Qogbdl32.exe Qqdbiopj.exe File created C:\Windows\SysWOW64\Dddimn32.exe Dafmqb32.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Klhemhpk.exe Kjihalag.exe File opened for modification C:\Windows\SysWOW64\Ajmfad32.exe Abfnpg32.exe File opened for modification C:\Windows\SysWOW64\Fofpoo32.exe Fkjdopeh.exe File opened for modification C:\Windows\SysWOW64\Findhdcb.exe Fqglggcp.exe File created C:\Windows\SysWOW64\Hbiaemkk.exe Hpjeialg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Process not Found File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 9652 10020 Process not Found 1086 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfioia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqcjlhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdjklek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqnhadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjona32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbdodnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegabegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqbecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acekjjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamgmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdmmalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqncaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjlhcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnocpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joiappkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbojpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphkbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noogpfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejopecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjoeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqglggcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljodo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjlhfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgogp32.dll" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Objaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdebnpa.dll" Ogekpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnfkge32.dll" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfgfng.dll" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjllk32.dll" Ciaefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckada32.dll" Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahmmdf.dll" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngafd32.dll" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opnpimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnojacgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foafdoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkijnbae.dll" Mfjoeeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nianhplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mgjnhaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdefddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjallg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifoqjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decfggnn.dll" Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmpacaf.dll" Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagnlkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoolamp.dll" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipiljgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgoopkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moancj32.dll" Ffmkfifa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liolokfg.dll" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnadk32.dll" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doempm32.dll" Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiioon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlnklcej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2356 2972 e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe 30 PID 2972 wrote to memory of 2356 2972 e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe 30 PID 2972 wrote to memory of 2356 2972 e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe 30 PID 2972 wrote to memory of 2356 2972 e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe 30 PID 2356 wrote to memory of 2296 2356 Meffhnal.exe 31 PID 2356 wrote to memory of 2296 2356 Meffhnal.exe 31 PID 2356 wrote to memory of 2296 2356 Meffhnal.exe 31 PID 2356 wrote to memory of 2296 2356 Meffhnal.exe 31 PID 2296 wrote to memory of 2904 2296 Mcifdj32.exe 32 PID 2296 wrote to memory of 2904 2296 Mcifdj32.exe 32 PID 2296 wrote to memory of 2904 2296 Mcifdj32.exe 32 PID 2296 wrote to memory of 2904 2296 Mcifdj32.exe 32 PID 2904 wrote to memory of 2816 2904 Mnojacgm.exe 33 PID 2904 wrote to memory of 2816 2904 Mnojacgm.exe 33 PID 2904 wrote to memory of 2816 2904 Mnojacgm.exe 33 PID 2904 wrote to memory of 2816 2904 Mnojacgm.exe 33 PID 2816 wrote to memory of 2964 2816 Mamgmofp.exe 34 PID 2816 wrote to memory of 2964 2816 Mamgmofp.exe 34 PID 2816 wrote to memory of 2964 2816 Mamgmofp.exe 34 PID 2816 wrote to memory of 2964 2816 Mamgmofp.exe 34 PID 2964 wrote to memory of 2656 2964 Mfjoeeeh.exe 35 PID 2964 wrote to memory of 2656 2964 Mfjoeeeh.exe 35 PID 2964 wrote to memory of 2656 2964 Mfjoeeeh.exe 35 PID 2964 wrote to memory of 2656 2964 Mfjoeeeh.exe 35 PID 2656 wrote to memory of 1732 2656 Mmdgbp32.exe 36 PID 2656 wrote to memory of 1732 2656 Mmdgbp32.exe 36 PID 2656 wrote to memory of 1732 2656 Mmdgbp32.exe 36 PID 2656 wrote to memory of 1732 2656 Mmdgbp32.exe 36 PID 1732 wrote to memory of 1844 1732 Mcnpojca.exe 37 PID 1732 wrote to memory of 1844 1732 Mcnpojca.exe 37 PID 1732 wrote to memory of 1844 1732 Mcnpojca.exe 37 PID 1732 wrote to memory of 1844 1732 Mcnpojca.exe 37 PID 1844 wrote to memory of 1256 1844 Mjhhld32.exe 38 PID 1844 wrote to memory of 1256 1844 Mjhhld32.exe 38 PID 1844 wrote to memory of 1256 1844 Mjhhld32.exe 38 PID 1844 wrote to memory of 1256 1844 Mjhhld32.exe 38 PID 1256 wrote to memory of 2860 1256 Mabphn32.exe 39 PID 1256 wrote to memory of 2860 1256 Mabphn32.exe 39 PID 1256 wrote to memory of 2860 1256 Mabphn32.exe 39 PID 1256 wrote to memory of 2860 1256 Mabphn32.exe 39 PID 2860 wrote to memory of 1780 2860 Mdpldi32.exe 40 PID 2860 wrote to memory of 1780 2860 Mdpldi32.exe 40 PID 2860 wrote to memory of 1780 2860 Mdpldi32.exe 40 PID 2860 wrote to memory of 1780 2860 Mdpldi32.exe 40 PID 1780 wrote to memory of 2680 1780 Mfoiqe32.exe 41 PID 1780 wrote to memory of 2680 1780 Mfoiqe32.exe 41 PID 1780 wrote to memory of 2680 1780 Mfoiqe32.exe 41 PID 1780 wrote to memory of 2680 1780 Mfoiqe32.exe 41 PID 2680 wrote to memory of 1228 2680 Mjjdacik.exe 42 PID 2680 wrote to memory of 1228 2680 Mjjdacik.exe 42 PID 2680 wrote to memory of 1228 2680 Mjjdacik.exe 42 PID 2680 wrote to memory of 1228 2680 Mjjdacik.exe 42 PID 1228 wrote to memory of 2116 1228 Mlkail32.exe 43 PID 1228 wrote to memory of 2116 1228 Mlkail32.exe 43 PID 1228 wrote to memory of 2116 1228 Mlkail32.exe 43 PID 1228 wrote to memory of 2116 1228 Mlkail32.exe 43 PID 2116 wrote to memory of 844 2116 Mdbiji32.exe 44 PID 2116 wrote to memory of 844 2116 Mdbiji32.exe 44 PID 2116 wrote to memory of 844 2116 Mdbiji32.exe 44 PID 2116 wrote to memory of 844 2116 Mdbiji32.exe 44 PID 844 wrote to memory of 2232 844 Mfaefd32.exe 45 PID 844 wrote to memory of 2232 844 Mfaefd32.exe 45 PID 844 wrote to memory of 2232 844 Mfaefd32.exe 45 PID 844 wrote to memory of 2232 844 Mfaefd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe"C:\Users\Admin\AppData\Local\Temp\e5625d0c212a882655b84eb0e302db7951d9723d69294d5bd14b59544d79f308.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe33⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe35⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe36⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe37⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe38⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe41⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe44⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe45⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe46⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe47⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe48⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe49⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe50⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe51⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe52⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe54⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe56⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe57⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe60⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe63⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe64⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe65⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe66⤵PID:2792
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe67⤵PID:1532
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe68⤵PID:2988
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe70⤵PID:3048
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe71⤵PID:1848
-
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe73⤵PID:2176
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe74⤵PID:2784
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe75⤵PID:2256
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe76⤵PID:1160
-
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe78⤵PID:352
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe80⤵PID:1144
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe81⤵PID:2220
-
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe82⤵PID:2492
-
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe83⤵PID:608
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe84⤵PID:1292
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe85⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe86⤵PID:2484
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe88⤵PID:1856
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe89⤵PID:2900
-
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe90⤵PID:2612
-
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe92⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe93⤵PID:1972
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe94⤵PID:2000
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe95⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe96⤵PID:2180
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe97⤵PID:936
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe98⤵PID:1672
-
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe100⤵PID:2312
-
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe101⤵PID:2756
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe103⤵PID:1992
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe104⤵PID:2824
-
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe105⤵PID:1324
-
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe107⤵PID:3000
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe108⤵
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe110⤵PID:2304
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe111⤵PID:804
-
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe112⤵PID:784
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe113⤵PID:2728
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe114⤵PID:2772
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe115⤵PID:1620
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe116⤵PID:672
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe117⤵PID:2424
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe118⤵PID:576
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe119⤵PID:760
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe120⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe121⤵PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-