Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 20:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe
-
Size
377KB
-
MD5
5b76701b1e14e528a1dfb2d29f080e1a
-
SHA1
78f8cd8704b6c11096e233d94864ea8fedee3b81
-
SHA256
331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78
-
SHA512
9a03fa17695e421cc46b70637595d79dc6fe11119c4faaded590f2bca9ebc45055d0f6fe93a88c24a6659024a05f64768822ef10a89fcea21457f49849d9a5bd
-
SSDEEP
6144:C+PpwIR9FNaGSgnohijgAUv5fKx/SgnohignC5V:CmGmdMTv5i1dayV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhdol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkhhnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amglfjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iklhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibhioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgelolak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babdelob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foffie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coofkgkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolmapfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diplbcpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcqdhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjoanmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagmag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babdelob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoeenlib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcancc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimlogdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajgfkpeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkfcjlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgipif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnacoid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baejnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceiebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifebgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanbgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nngjdbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmoimop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgdbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbdgcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfacq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeahbndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhknqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmfkjfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edndehaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjijiaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goccipnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdiqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijfchlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaicl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjajnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeihfen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkcjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfafdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdgfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klejomgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaaddhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2100 Bjgoff32.exe 2796 Cfdflfjk.exe 2828 Djkepi32.exe 2708 Dkkajlph.exe 2612 Eenige32.exe 2592 Eeqele32.exe 3020 Fpamnb32.exe 1516 Faqihe32.exe 2004 Glapia32.exe 3032 Gkfmjndo.exe 2908 Gdanhchm.exe 1388 Gcfkip32.exe 1788 Innhkknc.exe 2968 Jeepaiin.exe 2140 Kjllpopk.exe 2268 Kfblep32.exe 536 Lpdcddde.exe 2460 Lhohhf32.exe 2996 Llmandgf.exe 2356 Mkekeqjl.exe 1232 Mmecgl32.exe 2456 Niangl32.exe 952 Nlaghg32.exe 1292 Ndaehi32.exe 660 Ojajfo32.exe 2252 Ocnhjdnb.exe 1980 Pciknh32.exe 2732 Pehggk32.exe 2716 Pgipif32.exe 2768 Qecjkobg.exe 2756 Aiacamhm.exe 1800 Abjgjc32.exe 2360 Bdgcniko.exe 1352 Biclfp32.exe 2292 Bppqhjnp.exe 2000 Biheapeq.exe 1604 Cpmpbncn.exe 1816 Ccnici32.exe 1300 Dlijbn32.exe 1320 Ekemci32.exe 2240 Edmblo32.exe 1192 Emifaa32.exe 948 Ejmgjf32.exe 2944 Efchog32.exe 1508 Epllhlbg.exe 1976 Fjaqeebm.exe 2264 Fbmejg32.exe 748 Fncfohel.exe 1576 Fpcbik32.exe 108 Fadoqc32.exe 1616 Faflfc32.exe 2256 Fmmlkdeo.exe 2596 Gfeadjlo.exe 2112 Gakeable.exe 2644 Gamafbjb.exe 1004 Giifkd32.exe 2192 Gdnkhm32.exe 1092 Geogpemb.exe 3040 Gohlik32.exe 976 Hedqke32.exe 1592 Hkaicl32.exe 2420 Hoobij32.exe 2788 Heijfdeg.exe 2044 Hndokfbb.exe -
Loads dropped DLL 64 IoCs
pid Process 1140 331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe 1140 331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe 2100 Bjgoff32.exe 2100 Bjgoff32.exe 2796 Cfdflfjk.exe 2796 Cfdflfjk.exe 2828 Djkepi32.exe 2828 Djkepi32.exe 2708 Dkkajlph.exe 2708 Dkkajlph.exe 2612 Eenige32.exe 2612 Eenige32.exe 2592 Eeqele32.exe 2592 Eeqele32.exe 3020 Fpamnb32.exe 3020 Fpamnb32.exe 1516 Faqihe32.exe 1516 Faqihe32.exe 2004 Glapia32.exe 2004 Glapia32.exe 3032 Gkfmjndo.exe 3032 Gkfmjndo.exe 2908 Gdanhchm.exe 2908 Gdanhchm.exe 1388 Gcfkip32.exe 1388 Gcfkip32.exe 1788 Innhkknc.exe 1788 Innhkknc.exe 2968 Jeepaiin.exe 2968 Jeepaiin.exe 2140 Kjllpopk.exe 2140 Kjllpopk.exe 2268 Kfblep32.exe 2268 Kfblep32.exe 536 Lpdcddde.exe 536 Lpdcddde.exe 2460 Lhohhf32.exe 2460 Lhohhf32.exe 2996 Llmandgf.exe 2996 Llmandgf.exe 2356 Mkekeqjl.exe 2356 Mkekeqjl.exe 1232 Mmecgl32.exe 1232 Mmecgl32.exe 2456 Niangl32.exe 2456 Niangl32.exe 952 Nlaghg32.exe 952 Nlaghg32.exe 1292 Ndaehi32.exe 1292 Ndaehi32.exe 660 Ojajfo32.exe 660 Ojajfo32.exe 2252 Ocnhjdnb.exe 2252 Ocnhjdnb.exe 1980 Pciknh32.exe 1980 Pciknh32.exe 2732 Pehggk32.exe 2732 Pehggk32.exe 2716 Pgipif32.exe 2716 Pgipif32.exe 2768 Qecjkobg.exe 2768 Qecjkobg.exe 2756 Aiacamhm.exe 2756 Aiacamhm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lbcdaqba.exe Ldpdhmcg.exe File opened for modification C:\Windows\SysWOW64\Iaeihfen.exe Iablbfga.exe File opened for modification C:\Windows\SysWOW64\Foffie32.exe Fenappjh.exe File opened for modification C:\Windows\SysWOW64\Qajoonfl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Moioml32.exe Meakdgll.exe File created C:\Windows\SysWOW64\Ppmceh32.dll Lkamai32.exe File created C:\Windows\SysWOW64\Fojhenag.dll Ljkcmd32.exe File opened for modification C:\Windows\SysWOW64\Eooapjma.exe Eegmgd32.exe File created C:\Windows\SysWOW64\Gbhlio32.dll Hkimdk32.exe File created C:\Windows\SysWOW64\Gcfelpdk.dll Jnjjbo32.exe File created C:\Windows\SysWOW64\Gffcmb32.exe Fklbldgd.exe File opened for modification C:\Windows\SysWOW64\Jimfkecl.exe Jjhiji32.exe File opened for modification C:\Windows\SysWOW64\Cdpmqkaa.exe Chjllj32.exe File opened for modification C:\Windows\SysWOW64\Fndklnjo.exe Fhhfjdde.exe File opened for modification C:\Windows\SysWOW64\Oldbfc32.exe Oopalo32.exe File opened for modification C:\Windows\SysWOW64\Nlehphcb.exe Nnagfddh.exe File opened for modification C:\Windows\SysWOW64\Lcdjob32.exe Ljlefmnc.exe File opened for modification C:\Windows\SysWOW64\Kbebaa32.exe Kbbela32.exe File created C:\Windows\SysWOW64\Kjllpopk.exe Jeepaiin.exe File created C:\Windows\SysWOW64\Biclfp32.exe Bdgcniko.exe File created C:\Windows\SysWOW64\Conofmpd.exe Ceekmhic.exe File created C:\Windows\SysWOW64\Qghkje32.exe Process not Found File created C:\Windows\SysWOW64\Jmbkaeak.exe Jjabojdj.exe File created C:\Windows\SysWOW64\Nafedjai.dll Nmblfiho.exe File opened for modification C:\Windows\SysWOW64\Eobepp32.exe Eggpln32.exe File created C:\Windows\SysWOW64\Hjpcdb32.dll Fcjggc32.exe File created C:\Windows\SysWOW64\Pebdkiom.exe Ppcomb32.exe File opened for modification C:\Windows\SysWOW64\Mohimf32.exe Ladicb32.exe File created C:\Windows\SysWOW64\Ikahglgn.exe Ifdpneig.exe File created C:\Windows\SysWOW64\Bfjnmchd.dll Process not Found File created C:\Windows\SysWOW64\Dfcehn32.dll Oopalo32.exe File opened for modification C:\Windows\SysWOW64\Mndapo32.exe Mbnpknef.exe File opened for modification C:\Windows\SysWOW64\Dgcogiok.exe Debeen32.exe File opened for modification C:\Windows\SysWOW64\Cpdjef32.exe Cfoehmef.exe File created C:\Windows\SysWOW64\Amkfpjmb.exe Process not Found File created C:\Windows\SysWOW64\Inolph32.exe Inloji32.exe File opened for modification C:\Windows\SysWOW64\Ekemci32.exe Dlijbn32.exe File opened for modification C:\Windows\SysWOW64\Mhelbine.exe Mlokmh32.exe File created C:\Windows\SysWOW64\Lddhhpdm.dll Hjaicpjd.exe File opened for modification C:\Windows\SysWOW64\Codfam32.exe Ceiebg32.exe File created C:\Windows\SysWOW64\Eiiqdiqh.dll Ghdkgpfo.exe File opened for modification C:\Windows\SysWOW64\Mgcnai32.exe Mohimf32.exe File created C:\Windows\SysWOW64\Afeefg32.exe Aahmnpke.exe File opened for modification C:\Windows\SysWOW64\Amenfjfn.exe Alfalgok.exe File opened for modification C:\Windows\SysWOW64\Bcgegb32.exe Bjoanmlb.exe File opened for modification C:\Windows\SysWOW64\Cpkfeg32.exe Cojimofg.exe File opened for modification C:\Windows\SysWOW64\Gncnln32.exe Gnqafn32.exe File created C:\Windows\SysWOW64\Chbbjo32.dll Mpgajh32.exe File created C:\Windows\SysWOW64\Lcmdegep.dll Fadplhhh.exe File created C:\Windows\SysWOW64\Gbehbbbo.exe Gimcim32.exe File created C:\Windows\SysWOW64\Bnmlopdn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Heijfdeg.exe Hoobij32.exe File created C:\Windows\SysWOW64\Lckjmajm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Faflfc32.exe Fadoqc32.exe File opened for modification C:\Windows\SysWOW64\Bgeoladd.exe Boijhogi.exe File created C:\Windows\SysWOW64\Pjpaeall.exe Pofpddpn.exe File created C:\Windows\SysWOW64\Iaofldie.exe Process not Found File created C:\Windows\SysWOW64\Amenfjfn.exe Alfalgok.exe File created C:\Windows\SysWOW64\Hagkicpe.exe Hcbnhg32.exe File created C:\Windows\SysWOW64\Eildchll.dll Bogpkhao.exe File opened for modification C:\Windows\SysWOW64\Dciemfcd.exe Dgbdhe32.exe File opened for modification C:\Windows\SysWOW64\Emifaa32.exe Edmblo32.exe File created C:\Windows\SysWOW64\Keqaem32.dll Fgfjbhlf.exe File created C:\Windows\SysWOW64\Nllcil32.dll Hbnccgoq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1092 5620 Process not Found 1176 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdanhchm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbhmld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmfhfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjgmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghikmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnajohk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efchog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncfdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngjdbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qelnlnkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peipkjge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialcjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbllhiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlhncfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqmmkbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbfhdei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geogpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkflqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alijindd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphlbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coidnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coofkgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkepi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmblo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmikakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoiqaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdbbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfifhhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbqacdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnmfbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeadjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giifkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biheapeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgcjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofokioge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfapaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeigcga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbkaeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deaacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpinjen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaolee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqjccjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfjohmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegdao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadplhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkekeqjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejcic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opijokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clamgi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjllpopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjafkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daojqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimncg32.dll" Ceiebg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eijfchlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhelbine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbglg32.dll" Hidhahof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdeigc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppcomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeopbbb.dll" Lcjajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfieql.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbpalfp.dll" Mbnpknef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnljh32.dll" Eeakjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoeopfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okloml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmceh32.dll" Lkamai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcamic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipjgd32.dll" Ineiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpigcbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Innhkknc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnbdaplc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgcnai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oloapmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafjjk32.dll" Jfjpdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdmgnke.dll" Dciemfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgneniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqqboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplapn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccegio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaahkeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbhhpmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfoiejdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkilf32.dll" Ipjcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkimdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnapbbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjonbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knckkpbl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdikaci.dll" Hbiefjfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npopnfhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agiebo32.dll" Jnnphadg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcfib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hagkicpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhhhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjlpapoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffegk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnaijca.dll" Lojlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olofbloo.dll" Pcmcjcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhonej32.dll" Nqjcmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elfcakep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbbopal.dll" Ehjiiedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmfda32.dll" Nnomimmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklblkdh.dll" Ccmccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiedeoff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peflmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1140 wrote to memory of 2100 1140 331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe 29 PID 1140 wrote to memory of 2100 1140 331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe 29 PID 1140 wrote to memory of 2100 1140 331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe 29 PID 1140 wrote to memory of 2100 1140 331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe 29 PID 2100 wrote to memory of 2796 2100 Bjgoff32.exe 30 PID 2100 wrote to memory of 2796 2100 Bjgoff32.exe 30 PID 2100 wrote to memory of 2796 2100 Bjgoff32.exe 30 PID 2100 wrote to memory of 2796 2100 Bjgoff32.exe 30 PID 2796 wrote to memory of 2828 2796 Cfdflfjk.exe 31 PID 2796 wrote to memory of 2828 2796 Cfdflfjk.exe 31 PID 2796 wrote to memory of 2828 2796 Cfdflfjk.exe 31 PID 2796 wrote to memory of 2828 2796 Cfdflfjk.exe 31 PID 2828 wrote to memory of 2708 2828 Djkepi32.exe 32 PID 2828 wrote to memory of 2708 2828 Djkepi32.exe 32 PID 2828 wrote to memory of 2708 2828 Djkepi32.exe 32 PID 2828 wrote to memory of 2708 2828 Djkepi32.exe 32 PID 2708 wrote to memory of 2612 2708 Dkkajlph.exe 33 PID 2708 wrote to memory of 2612 2708 Dkkajlph.exe 33 PID 2708 wrote to memory of 2612 2708 Dkkajlph.exe 33 PID 2708 wrote to memory of 2612 2708 Dkkajlph.exe 33 PID 2612 wrote to memory of 2592 2612 Eenige32.exe 34 PID 2612 wrote to memory of 2592 2612 Eenige32.exe 34 PID 2612 wrote to memory of 2592 2612 Eenige32.exe 34 PID 2612 wrote to memory of 2592 2612 Eenige32.exe 34 PID 2592 wrote to memory of 3020 2592 Eeqele32.exe 35 PID 2592 wrote to memory of 3020 2592 Eeqele32.exe 35 PID 2592 wrote to memory of 3020 2592 Eeqele32.exe 35 PID 2592 wrote to memory of 3020 2592 Eeqele32.exe 35 PID 3020 wrote to memory of 1516 3020 Fpamnb32.exe 36 PID 3020 wrote to memory of 1516 3020 Fpamnb32.exe 36 PID 3020 wrote to memory of 1516 3020 Fpamnb32.exe 36 PID 3020 wrote to memory of 1516 3020 Fpamnb32.exe 36 PID 1516 wrote to memory of 2004 1516 Faqihe32.exe 37 PID 1516 wrote to memory of 2004 1516 Faqihe32.exe 37 PID 1516 wrote to memory of 2004 1516 Faqihe32.exe 37 PID 1516 wrote to memory of 2004 1516 Faqihe32.exe 37 PID 2004 wrote to memory of 3032 2004 Glapia32.exe 38 PID 2004 wrote to memory of 3032 2004 Glapia32.exe 38 PID 2004 wrote to memory of 3032 2004 Glapia32.exe 38 PID 2004 wrote to memory of 3032 2004 Glapia32.exe 38 PID 3032 wrote to memory of 2908 3032 Gkfmjndo.exe 39 PID 3032 wrote to memory of 2908 3032 Gkfmjndo.exe 39 PID 3032 wrote to memory of 2908 3032 Gkfmjndo.exe 39 PID 3032 wrote to memory of 2908 3032 Gkfmjndo.exe 39 PID 2908 wrote to memory of 1388 2908 Gdanhchm.exe 40 PID 2908 wrote to memory of 1388 2908 Gdanhchm.exe 40 PID 2908 wrote to memory of 1388 2908 Gdanhchm.exe 40 PID 2908 wrote to memory of 1388 2908 Gdanhchm.exe 40 PID 1388 wrote to memory of 1788 1388 Gcfkip32.exe 41 PID 1388 wrote to memory of 1788 1388 Gcfkip32.exe 41 PID 1388 wrote to memory of 1788 1388 Gcfkip32.exe 41 PID 1388 wrote to memory of 1788 1388 Gcfkip32.exe 41 PID 1788 wrote to memory of 2968 1788 Innhkknc.exe 42 PID 1788 wrote to memory of 2968 1788 Innhkknc.exe 42 PID 1788 wrote to memory of 2968 1788 Innhkknc.exe 42 PID 1788 wrote to memory of 2968 1788 Innhkknc.exe 42 PID 2968 wrote to memory of 2140 2968 Jeepaiin.exe 43 PID 2968 wrote to memory of 2140 2968 Jeepaiin.exe 43 PID 2968 wrote to memory of 2140 2968 Jeepaiin.exe 43 PID 2968 wrote to memory of 2140 2968 Jeepaiin.exe 43 PID 2140 wrote to memory of 2268 2140 Kjllpopk.exe 44 PID 2140 wrote to memory of 2268 2140 Kjllpopk.exe 44 PID 2140 wrote to memory of 2268 2140 Kjllpopk.exe 44 PID 2140 wrote to memory of 2268 2140 Kjllpopk.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe"C:\Users\Admin\AppData\Local\Temp\331d592bc1ebb747ee58cb9078b24181838efe3c5be282426d9dd2a7bd8eaa78.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Bjgoff32.exeC:\Windows\system32\Bjgoff32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Cfdflfjk.exeC:\Windows\system32\Cfdflfjk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Djkepi32.exeC:\Windows\system32\Djkepi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Dkkajlph.exeC:\Windows\system32\Dkkajlph.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Eenige32.exeC:\Windows\system32\Eenige32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Eeqele32.exeC:\Windows\system32\Eeqele32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Fpamnb32.exeC:\Windows\system32\Fpamnb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Faqihe32.exeC:\Windows\system32\Faqihe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Glapia32.exeC:\Windows\system32\Glapia32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gkfmjndo.exeC:\Windows\system32\Gkfmjndo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Gdanhchm.exeC:\Windows\system32\Gdanhchm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Gcfkip32.exeC:\Windows\system32\Gcfkip32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Innhkknc.exeC:\Windows\system32\Innhkknc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Jeepaiin.exeC:\Windows\system32\Jeepaiin.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Kjllpopk.exeC:\Windows\system32\Kjllpopk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Kfblep32.exeC:\Windows\system32\Kfblep32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Lpdcddde.exeC:\Windows\system32\Lpdcddde.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Lhohhf32.exeC:\Windows\system32\Lhohhf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Llmandgf.exeC:\Windows\system32\Llmandgf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Mkekeqjl.exeC:\Windows\system32\Mkekeqjl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Mmecgl32.exeC:\Windows\system32\Mmecgl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Niangl32.exeC:\Windows\system32\Niangl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Nlaghg32.exeC:\Windows\system32\Nlaghg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ndaehi32.exeC:\Windows\system32\Ndaehi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Ojajfo32.exeC:\Windows\system32\Ojajfo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Ocnhjdnb.exeC:\Windows\system32\Ocnhjdnb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Pciknh32.exeC:\Windows\system32\Pciknh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Pehggk32.exeC:\Windows\system32\Pehggk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Pgipif32.exeC:\Windows\system32\Pgipif32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Qecjkobg.exeC:\Windows\system32\Qecjkobg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Aiacamhm.exeC:\Windows\system32\Aiacamhm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Abjgjc32.exeC:\Windows\system32\Abjgjc32.exe33⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Bdgcniko.exeC:\Windows\system32\Bdgcniko.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Biclfp32.exeC:\Windows\system32\Biclfp32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Bppqhjnp.exeC:\Windows\system32\Bppqhjnp.exe36⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Biheapeq.exeC:\Windows\system32\Biheapeq.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Cpmpbncn.exeC:\Windows\system32\Cpmpbncn.exe38⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ccnici32.exeC:\Windows\system32\Ccnici32.exe39⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Dlijbn32.exeC:\Windows\system32\Dlijbn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Ekemci32.exeC:\Windows\system32\Ekemci32.exe41⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Edmblo32.exeC:\Windows\system32\Edmblo32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Emifaa32.exeC:\Windows\system32\Emifaa32.exe43⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Ejmgjf32.exeC:\Windows\system32\Ejmgjf32.exe44⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Efchog32.exeC:\Windows\system32\Efchog32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Epllhlbg.exeC:\Windows\system32\Epllhlbg.exe46⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Fjaqeebm.exeC:\Windows\system32\Fjaqeebm.exe47⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Fbmejg32.exeC:\Windows\system32\Fbmejg32.exe48⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Fncfohel.exeC:\Windows\system32\Fncfohel.exe49⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Fpcbik32.exeC:\Windows\system32\Fpcbik32.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Fadoqc32.exeC:\Windows\system32\Fadoqc32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Faflfc32.exeC:\Windows\system32\Faflfc32.exe52⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Fmmlkdeo.exeC:\Windows\system32\Fmmlkdeo.exe53⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Gfeadjlo.exeC:\Windows\system32\Gfeadjlo.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Gakeable.exeC:\Windows\system32\Gakeable.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Gamafbjb.exeC:\Windows\system32\Gamafbjb.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Giifkd32.exeC:\Windows\system32\Giifkd32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Gdnkhm32.exeC:\Windows\system32\Gdnkhm32.exe58⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Geogpemb.exeC:\Windows\system32\Geogpemb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Gohlik32.exeC:\Windows\system32\Gohlik32.exe60⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hedqke32.exeC:\Windows\system32\Hedqke32.exe61⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Hkaicl32.exeC:\Windows\system32\Hkaicl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hoobij32.exeC:\Windows\system32\Hoobij32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Heijfdeg.exeC:\Windows\system32\Heijfdeg.exe64⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hndokfbb.exeC:\Windows\system32\Hndokfbb.exe65⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Hdpcmpgl.exeC:\Windows\system32\Hdpcmpgl.exe66⤵PID:2496
-
C:\Windows\SysWOW64\Ilkhabeg.exeC:\Windows\system32\Ilkhabeg.exe67⤵PID:1316
-
C:\Windows\SysWOW64\Ichmclja.exeC:\Windows\system32\Ichmclja.exe68⤵PID:1488
-
C:\Windows\SysWOW64\Iplnmqik.exeC:\Windows\system32\Iplnmqik.exe69⤵PID:744
-
C:\Windows\SysWOW64\Ioaknmnc.exeC:\Windows\system32\Ioaknmnc.exe70⤵PID:2052
-
C:\Windows\SysWOW64\Idncfdlj.exeC:\Windows\system32\Idncfdlj.exe71⤵
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\Jfmppg32.exeC:\Windows\system32\Jfmppg32.exe72⤵PID:2320
-
C:\Windows\SysWOW64\Jqgqadpl.exeC:\Windows\system32\Jqgqadpl.exe73⤵PID:2276
-
C:\Windows\SysWOW64\Jdeigc32.exeC:\Windows\system32\Jdeigc32.exe74⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Jjabojdj.exeC:\Windows\system32\Jjabojdj.exe75⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Jmbkaeak.exeC:\Windows\system32\Jmbkaeak.exe76⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Kmdgfd32.exeC:\Windows\system32\Kmdgfd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Kmgdld32.exeC:\Windows\system32\Kmgdld32.exe78⤵PID:2600
-
C:\Windows\SysWOW64\Kfoiejdf.exeC:\Windows\system32\Kfoiejdf.exe79⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Kipafe32.exeC:\Windows\system32\Kipafe32.exe80⤵PID:2760
-
C:\Windows\SysWOW64\Kbhfojgg.exeC:\Windows\system32\Kbhfojgg.exe81⤵PID:2416
-
C:\Windows\SysWOW64\Kbkcej32.exeC:\Windows\system32\Kbkcej32.exe82⤵PID:2900
-
C:\Windows\SysWOW64\Lnacjkki.exeC:\Windows\system32\Lnacjkki.exe83⤵PID:1924
-
C:\Windows\SysWOW64\Ljhdol32.exeC:\Windows\system32\Ljhdol32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1216 -
C:\Windows\SysWOW64\Lhlehppg.exeC:\Windows\system32\Lhlehppg.exe85⤵PID:3044
-
C:\Windows\SysWOW64\Lpgimbmb.exeC:\Windows\system32\Lpgimbmb.exe86⤵PID:1100
-
C:\Windows\SysWOW64\Llnjac32.exeC:\Windows\system32\Llnjac32.exe87⤵PID:1112
-
C:\Windows\SysWOW64\Mffkdlpi.exeC:\Windows\system32\Mffkdlpi.exe88⤵PID:604
-
C:\Windows\SysWOW64\Ngcknpeh.exeC:\Windows\system32\Ngcknpeh.exe89⤵PID:960
-
C:\Windows\SysWOW64\Nmblfiho.exeC:\Windows\system32\Nmblfiho.exe90⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Nhlmfg32.exeC:\Windows\system32\Nhlmfg32.exe91⤵PID:924
-
C:\Windows\SysWOW64\Nepnpk32.exeC:\Windows\system32\Nepnpk32.exe92⤵PID:288
-
C:\Windows\SysWOW64\Oagndlil.exeC:\Windows\system32\Oagndlil.exe93⤵PID:2288
-
C:\Windows\SysWOW64\Onmoimop.exeC:\Windows\system32\Onmoimop.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Okapcanj.exeC:\Windows\system32\Okapcanj.exe95⤵PID:2448
-
C:\Windows\SysWOW64\Okdlha32.exeC:\Windows\system32\Okdlha32.exe96⤵PID:2216
-
C:\Windows\SysWOW64\Odlqafbg.exeC:\Windows\system32\Odlqafbg.exe97⤵PID:2160
-
C:\Windows\SysWOW64\Omgefipb.exeC:\Windows\system32\Omgefipb.exe98⤵PID:1856
-
C:\Windows\SysWOW64\Pfpjonfc.exeC:\Windows\system32\Pfpjonfc.exe99⤵PID:2804
-
C:\Windows\SysWOW64\Pccjhbem.exeC:\Windows\system32\Pccjhbem.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Piqcpicd.exeC:\Windows\system32\Piqcpicd.exe101⤵PID:1636
-
C:\Windows\SysWOW64\Pjpojljg.exeC:\Windows\system32\Pjpojljg.exe102⤵PID:3008
-
C:\Windows\SysWOW64\Peipkjge.exeC:\Windows\system32\Peipkjge.exe103⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Poodhcfl.exeC:\Windows\system32\Poodhcfl.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Pfimem32.exeC:\Windows\system32\Pfimem32.exe105⤵PID:2388
-
C:\Windows\SysWOW64\Qabnekjg.exeC:\Windows\system32\Qabnekjg.exe106⤵PID:2016
-
C:\Windows\SysWOW64\Qjkbnp32.exeC:\Windows\system32\Qjkbnp32.exe107⤵PID:2424
-
C:\Windows\SysWOW64\Qjmodpoe.exeC:\Windows\system32\Qjmodpoe.exe108⤵PID:568
-
C:\Windows\SysWOW64\Afdpia32.exeC:\Windows\system32\Afdpia32.exe109⤵PID:1220
-
C:\Windows\SysWOW64\Afflnq32.exeC:\Windows\system32\Afflnq32.exe110⤵PID:2440
-
C:\Windows\SysWOW64\Aalqlibl.exeC:\Windows\system32\Aalqlibl.exe111⤵PID:1548
-
C:\Windows\SysWOW64\Alfalgok.exeC:\Windows\system32\Alfalgok.exe112⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Amenfjfn.exeC:\Windows\system32\Amenfjfn.exe113⤵PID:1680
-
C:\Windows\SysWOW64\Bilokk32.exeC:\Windows\system32\Bilokk32.exe114⤵PID:2392
-
C:\Windows\SysWOW64\Bnigcb32.exeC:\Windows\system32\Bnigcb32.exe115⤵PID:1724
-
C:\Windows\SysWOW64\Blmhmf32.exeC:\Windows\system32\Blmhmf32.exe116⤵PID:2860
-
C:\Windows\SysWOW64\Baipemgk.exeC:\Windows\system32\Baipemgk.exe117⤵PID:2620
-
C:\Windows\SysWOW64\Bdjighdl.exeC:\Windows\system32\Bdjighdl.exe118⤵PID:3016
-
C:\Windows\SysWOW64\Banjpl32.exeC:\Windows\system32\Banjpl32.exe119⤵PID:2680
-
C:\Windows\SysWOW64\Bhhbmfjb.exeC:\Windows\system32\Bhhbmfjb.exe120⤵PID:2780
-
C:\Windows\SysWOW64\Bmejemhi.exeC:\Windows\system32\Bmejemhi.exe121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-