Analysis
-
max time kernel
44s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 03:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f5b9f6095fb96e424bb7309217a0130N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8f5b9f6095fb96e424bb7309217a0130N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8f5b9f6095fb96e424bb7309217a0130N.exe
-
Size
96KB
-
MD5
8f5b9f6095fb96e424bb7309217a0130
-
SHA1
8e8d8b365e4b306926a6c01b4630c8c40b27df53
-
SHA256
aa403cbaac191e5ec922a4d71340809592a1e8d29bb037352925bd9068ba6c85
-
SHA512
1c4af81cbdcc83cce4ba6d9c0ad80921d7be38f1ba56e3e91df7575db5ddb0a89fbeb095589a6375b6196457898498630a3a69a495a48713189669b4d0e0a09a
-
SSDEEP
1536:Jr7ynhXXThfUzi5257Dv+6q/k1UUA0pLIYkyp9NQcOlkwAaAjWbjtKBvU:JiJWm525XvPq/zuLpp9NhOlk1VwtCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goplilpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnimiblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgcmbcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piicpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbohehoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behilopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbdqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beackp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbcbn32.exe -
Executes dropped EXE 64 IoCs
pid Process 1852 Oagoep32.exe 2356 Oioggmmc.exe 3060 Okpcoe32.exe 2300 Oajlkojn.exe 2732 Odhhgkib.exe 2928 Oalhqohl.exe 2840 Odjdmjgo.exe 2440 Oanefo32.exe 1484 Ogknoe32.exe 2776 Oaqbln32.exe 1444 Pgnjde32.exe 1928 Ppfomk32.exe 2332 Pcdkif32.exe 2004 Poklngnf.exe 1096 Pgbdodnh.exe 940 Pomhcg32.exe 1936 Palepb32.exe 2080 Phfmllbd.exe 2416 Panaeb32.exe 1556 Qnebjc32.exe 2520 Qaqnkafa.exe 1612 Qgmfchei.exe 2108 Qkibcg32.exe 2408 Qqfkln32.exe 2728 Qhmcmk32.exe 2848 Abegfa32.exe 2860 Adcdbl32.exe 2648 Acfdnihk.exe 1960 Agbpnh32.exe 2372 Anlhkbhq.exe 1940 Aqjdgmgd.exe 2820 Adfqgl32.exe 2000 Aciqcifh.exe 3024 Afgmodel.exe 3004 Ajcipc32.exe 3052 Anneqafn.exe 2312 Amaelomh.exe 2348 Aqmamm32.exe 2060 Ackmih32.exe 1932 Aggiigmn.exe 1644 Afjjed32.exe 908 Aihfap32.exe 2428 Amcbankf.exe 880 Aqonbm32.exe 2016 Acnjnh32.exe 2396 Abpjjeim.exe 1712 Aflfjc32.exe 2468 Akiobk32.exe 2808 Aodkci32.exe 2904 Bbbgod32.exe 2656 Bfncpcoc.exe 2620 Beackp32.exe 2768 Bmhkmm32.exe 2908 Bkklhjnk.exe 2956 Bnihdemo.exe 2360 Bfqpecma.exe 1032 Becpap32.exe 1464 Bgblmk32.exe 2012 Bkmhnjlh.exe 1028 Bbgqjdce.exe 1228 Befmfpbi.exe 1752 Bgdibkam.exe 1548 Bjbeofpp.exe 2184 Bnnaoe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2368 8f5b9f6095fb96e424bb7309217a0130N.exe 2368 8f5b9f6095fb96e424bb7309217a0130N.exe 1852 Oagoep32.exe 1852 Oagoep32.exe 2356 Oioggmmc.exe 2356 Oioggmmc.exe 3060 Okpcoe32.exe 3060 Okpcoe32.exe 2300 Oajlkojn.exe 2300 Oajlkojn.exe 2732 Odhhgkib.exe 2732 Odhhgkib.exe 2928 Oalhqohl.exe 2928 Oalhqohl.exe 2840 Odjdmjgo.exe 2840 Odjdmjgo.exe 2440 Oanefo32.exe 2440 Oanefo32.exe 1484 Ogknoe32.exe 1484 Ogknoe32.exe 2776 Oaqbln32.exe 2776 Oaqbln32.exe 1444 Pgnjde32.exe 1444 Pgnjde32.exe 1928 Ppfomk32.exe 1928 Ppfomk32.exe 2332 Pcdkif32.exe 2332 Pcdkif32.exe 2004 Poklngnf.exe 2004 Poklngnf.exe 1096 Pgbdodnh.exe 1096 Pgbdodnh.exe 940 Pomhcg32.exe 940 Pomhcg32.exe 1936 Palepb32.exe 1936 Palepb32.exe 2080 Phfmllbd.exe 2080 Phfmllbd.exe 2416 Panaeb32.exe 2416 Panaeb32.exe 1556 Qnebjc32.exe 1556 Qnebjc32.exe 2520 Qaqnkafa.exe 2520 Qaqnkafa.exe 1612 Qgmfchei.exe 1612 Qgmfchei.exe 2108 Qkibcg32.exe 2108 Qkibcg32.exe 2408 Qqfkln32.exe 2408 Qqfkln32.exe 2728 Qhmcmk32.exe 2728 Qhmcmk32.exe 2848 Abegfa32.exe 2848 Abegfa32.exe 2860 Adcdbl32.exe 2860 Adcdbl32.exe 2648 Acfdnihk.exe 2648 Acfdnihk.exe 1960 Agbpnh32.exe 1960 Agbpnh32.exe 2372 Anlhkbhq.exe 2372 Anlhkbhq.exe 1940 Aqjdgmgd.exe 1940 Aqjdgmgd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ahebaiac.exe Adifpk32.exe File created C:\Windows\SysWOW64\Cdjpfaqc.dll Behilopf.exe File created C:\Windows\SysWOW64\Bkkpkade.dll Epmfgo32.exe File created C:\Windows\SysWOW64\Ldcinhie.dll Obhdcanc.exe File opened for modification C:\Windows\SysWOW64\Pghfnc32.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Hjlioj32.exe Ggnmbn32.exe File created C:\Windows\SysWOW64\Lgehno32.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Ckhdggom.exe Cmedlk32.exe File opened for modification C:\Windows\SysWOW64\Lfoojj32.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Fjjeanhe.dll Ciaefa32.exe File created C:\Windows\SysWOW64\Gdhkfd32.exe Gfejjgli.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Ippdgc32.exe Iamdkfnc.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Ncnngfna.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Idicbbpi.exe Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bnknoogp.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File created C:\Windows\SysWOW64\Qaqnkafa.exe Qnebjc32.exe File created C:\Windows\SysWOW64\Fagina32.dll Jbhcim32.exe File created C:\Windows\SysWOW64\Oinhifdq.dll Bjdkjpkb.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Iakgefqe.exe File created C:\Windows\SysWOW64\Olpilg32.exe Oibmpl32.exe File created C:\Windows\SysWOW64\Agjobffl.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Ppfomk32.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Goiebopf.dll Iihiphln.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Mihmog32.dll Eppcmncq.exe File created C:\Windows\SysWOW64\Gkephn32.exe Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cinafkkd.exe File opened for modification C:\Windows\SysWOW64\Pmmeon32.exe Pkoicb32.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Abpcooea.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Danpemej.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Jlamphei.dll Ccpcckck.exe File created C:\Windows\SysWOW64\Nebhgckp.dll Folfoj32.exe File created C:\Windows\SysWOW64\Bdcifi32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Dldkmlhl.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Iamdkfnc.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Pfqgfg32.dll Qiioon32.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Lgpgbj32.dll Ahbekjcf.exe File created C:\Windows\SysWOW64\Gkpfmnlb.exe Gjojef32.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jpbalb32.exe File created C:\Windows\SysWOW64\Pdbdqh32.exe Padhdm32.exe File created C:\Windows\SysWOW64\Hkgoklhk.dll Pidfdofi.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Cfkloq32.exe Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Ackmih32.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bammlq32.exe File created C:\Windows\SysWOW64\Pbgiha32.dll Gmpcgace.exe File created C:\Windows\SysWOW64\Gjgcdgcc.dll Gncldi32.exe File opened for modification C:\Windows\SysWOW64\Lhfefgkg.exe Lfhhjklc.exe File created C:\Windows\SysWOW64\Achjibcl.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Oanefo32.exe Odjdmjgo.exe File created C:\Windows\SysWOW64\Pplaki32.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Hpbdmo32.exe Hlgimqhf.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bigkel32.exe File created C:\Windows\SysWOW64\Hfjpdjjo.exe Hboddk32.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Ilnomp32.exe File created C:\Windows\SysWOW64\Mqdkghnj.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Apedah32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5300 5216 WerFault.exe 554 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcdbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbepdhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnckjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcachc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f5b9f6095fb96e424bb7309217a0130N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjebdfnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cenljmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbeiiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giackg32.dll" Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lboiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkhoe32.dll" Bgdibkam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ninmfc32.dll" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnnoic32.dll" Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnidcen.dll" Cbgmigeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cafngogd.dll" Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcfjpo.dll" Afgmodel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddklgpc.dll" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfocegkg.dll" Emagacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgbdodnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjcaimgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olebgfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfihaj.dll" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkibcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1852 2368 8f5b9f6095fb96e424bb7309217a0130N.exe 30 PID 2368 wrote to memory of 1852 2368 8f5b9f6095fb96e424bb7309217a0130N.exe 30 PID 2368 wrote to memory of 1852 2368 8f5b9f6095fb96e424bb7309217a0130N.exe 30 PID 2368 wrote to memory of 1852 2368 8f5b9f6095fb96e424bb7309217a0130N.exe 30 PID 1852 wrote to memory of 2356 1852 Oagoep32.exe 31 PID 1852 wrote to memory of 2356 1852 Oagoep32.exe 31 PID 1852 wrote to memory of 2356 1852 Oagoep32.exe 31 PID 1852 wrote to memory of 2356 1852 Oagoep32.exe 31 PID 2356 wrote to memory of 3060 2356 Oioggmmc.exe 32 PID 2356 wrote to memory of 3060 2356 Oioggmmc.exe 32 PID 2356 wrote to memory of 3060 2356 Oioggmmc.exe 32 PID 2356 wrote to memory of 3060 2356 Oioggmmc.exe 32 PID 3060 wrote to memory of 2300 3060 Okpcoe32.exe 33 PID 3060 wrote to memory of 2300 3060 Okpcoe32.exe 33 PID 3060 wrote to memory of 2300 3060 Okpcoe32.exe 33 PID 3060 wrote to memory of 2300 3060 Okpcoe32.exe 33 PID 2300 wrote to memory of 2732 2300 Oajlkojn.exe 34 PID 2300 wrote to memory of 2732 2300 Oajlkojn.exe 34 PID 2300 wrote to memory of 2732 2300 Oajlkojn.exe 34 PID 2300 wrote to memory of 2732 2300 Oajlkojn.exe 34 PID 2732 wrote to memory of 2928 2732 Odhhgkib.exe 35 PID 2732 wrote to memory of 2928 2732 Odhhgkib.exe 35 PID 2732 wrote to memory of 2928 2732 Odhhgkib.exe 35 PID 2732 wrote to memory of 2928 2732 Odhhgkib.exe 35 PID 2928 wrote to memory of 2840 2928 Oalhqohl.exe 36 PID 2928 wrote to memory of 2840 2928 Oalhqohl.exe 36 PID 2928 wrote to memory of 2840 2928 Oalhqohl.exe 36 PID 2928 wrote to memory of 2840 2928 Oalhqohl.exe 36 PID 2840 wrote to memory of 2440 2840 Odjdmjgo.exe 37 PID 2840 wrote to memory of 2440 2840 Odjdmjgo.exe 37 PID 2840 wrote to memory of 2440 2840 Odjdmjgo.exe 37 PID 2840 wrote to memory of 2440 2840 Odjdmjgo.exe 37 PID 2440 wrote to memory of 1484 2440 Oanefo32.exe 38 PID 2440 wrote to memory of 1484 2440 Oanefo32.exe 38 PID 2440 wrote to memory of 1484 2440 Oanefo32.exe 38 PID 2440 wrote to memory of 1484 2440 Oanefo32.exe 38 PID 1484 wrote to memory of 2776 1484 Ogknoe32.exe 39 PID 1484 wrote to memory of 2776 1484 Ogknoe32.exe 39 PID 1484 wrote to memory of 2776 1484 Ogknoe32.exe 39 PID 1484 wrote to memory of 2776 1484 Ogknoe32.exe 39 PID 2776 wrote to memory of 1444 2776 Oaqbln32.exe 40 PID 2776 wrote to memory of 1444 2776 Oaqbln32.exe 40 PID 2776 wrote to memory of 1444 2776 Oaqbln32.exe 40 PID 2776 wrote to memory of 1444 2776 Oaqbln32.exe 40 PID 1444 wrote to memory of 1928 1444 Pgnjde32.exe 41 PID 1444 wrote to memory of 1928 1444 Pgnjde32.exe 41 PID 1444 wrote to memory of 1928 1444 Pgnjde32.exe 41 PID 1444 wrote to memory of 1928 1444 Pgnjde32.exe 41 PID 1928 wrote to memory of 2332 1928 Ppfomk32.exe 42 PID 1928 wrote to memory of 2332 1928 Ppfomk32.exe 42 PID 1928 wrote to memory of 2332 1928 Ppfomk32.exe 42 PID 1928 wrote to memory of 2332 1928 Ppfomk32.exe 42 PID 2332 wrote to memory of 2004 2332 Pcdkif32.exe 43 PID 2332 wrote to memory of 2004 2332 Pcdkif32.exe 43 PID 2332 wrote to memory of 2004 2332 Pcdkif32.exe 43 PID 2332 wrote to memory of 2004 2332 Pcdkif32.exe 43 PID 2004 wrote to memory of 1096 2004 Poklngnf.exe 44 PID 2004 wrote to memory of 1096 2004 Poklngnf.exe 44 PID 2004 wrote to memory of 1096 2004 Poklngnf.exe 44 PID 2004 wrote to memory of 1096 2004 Poklngnf.exe 44 PID 1096 wrote to memory of 940 1096 Pgbdodnh.exe 45 PID 1096 wrote to memory of 940 1096 Pgbdodnh.exe 45 PID 1096 wrote to memory of 940 1096 Pgbdodnh.exe 45 PID 1096 wrote to memory of 940 1096 Pgbdodnh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f5b9f6095fb96e424bb7309217a0130N.exe"C:\Users\Admin\AppData\Local\Temp\8f5b9f6095fb96e424bb7309217a0130N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe36⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe37⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe38⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe42⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe43⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe45⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe46⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe47⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe50⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe51⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe54⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe55⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe56⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe58⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe59⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe60⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe61⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe66⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe69⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe70⤵PID:2836
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe71⤵PID:2712
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe73⤵PID:2024
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe74⤵PID:2996
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe75⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe76⤵PID:1448
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe77⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe78⤵PID:1356
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe79⤵PID:308
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe80⤵PID:1280
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe81⤵PID:1232
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe82⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe83⤵PID:1420
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe85⤵PID:1844
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe87⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe88⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe89⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe90⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe91⤵PID:1120
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe92⤵PID:2932
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe94⤵PID:640
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe96⤵PID:600
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe97⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe98⤵PID:556
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe99⤵PID:2068
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe101⤵PID:2124
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe102⤵PID:2868
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe103⤵PID:2920
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe104⤵PID:2632
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe105⤵PID:1912
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe106⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe107⤵PID:1200
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe109⤵PID:660
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe110⤵PID:1176
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe112⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe113⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe114⤵PID:2692
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe115⤵PID:2856
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe116⤵PID:1648
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe117⤵PID:2988
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe118⤵PID:2828
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe119⤵PID:2008
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe120⤵PID:2540
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe121⤵
- Drops file in System32 directory
PID:1796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-