Analysis
-
max time kernel
64s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 02:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe
-
Size
64KB
-
MD5
6f9eb0f965c690a84366e19233a0d190
-
SHA1
1ddb29731b8daf278848b3a45511721026afac35
-
SHA256
edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476
-
SHA512
953d3cd464cc1d4a02011d963cbfafd98b1c02e4f4c8f75bc784cd88c9a58d0058de9d1477c1b55a4d5132344a3c0d7567b9b8c26a08cf102f8740dfdf742a4f
-
SSDEEP
768:j2buqeZc4YvZEQxGDEkCCsKC3FGNxNx7I7uufm/1H5WW5UZEgruCHPkJLzt1SZIu:j2+tkGQcDtCCsy94W5UXruCHcpzt/Idn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjaaglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqfooonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibdcakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghjqlmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlbnja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleliepj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjbhgolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qefihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhhma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipimic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imqdcjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbneekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lolpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achikonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emncci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npneeocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefdgeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmehqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgiomabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjqfmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himionmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpinagbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqljdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaamhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmlgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdkpomkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himionmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbdfbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogddpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galfpgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nicfnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngafdepl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emnelbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilddl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimmpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjbienl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcobdgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhccoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qibhao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbhphie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaamhb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Clfkfeno.exe 2816 Cbpcbo32.exe 2776 Chmkkf32.exe 2704 Cogdhpkp.exe 2724 Dhaefepn.exe 2792 Dalfdjdl.exe 1344 Dgiomabc.exe 2336 Dpaceg32.exe 3012 Dilddl32.exe 2208 Eeceim32.exe 1300 Ecgeba32.exe 1636 Eehndm32.exe 2640 Eaooin32.exe 2396 Ekgcbcke.exe 904 Fjlqcppm.exe 768 Fokfqflb.exe 1540 Fjajno32.exe 1328 Fonbff32.exe 596 Fhfgokap.exe 808 Gdodjlda.exe 1360 Gimmpj32.exe 872 Gjqfmb32.exe 1872 Gjccbb32.exe 2824 Gamkol32.exe 1580 Hpbhphie.exe 2908 Hflpmb32.exe 2836 Hfnmbbnp.exe 2848 Himionmc.exe 2688 Hpinagbm.exe 1236 Hnnkbd32.exe 2164 Hehconob.exe 2632 Imchcplm.exe 2080 Iocdmccp.exe 1480 Ifniaeqk.exe 2656 Iadnon32.exe 2020 Ifqfge32.exe 2628 Ilmool32.exe 2112 Iiaoip32.exe 1808 Jbjcaf32.exe 1124 Jehpna32.exe 1916 Joqdfghn.exe 1404 Jkgelh32.exe 1668 Jaamhb32.exe 1500 Jdpidm32.exe 2572 Jlgaek32.exe 2260 Jkjaaglp.exe 1004 Jeofnpke.exe 920 Jnjjcbiq.exe 2504 Kpbiempj.exe 1604 Klijjnen.exe 2964 Lbfcbdce.exe 2496 Lojclibo.exe 2728 Lfckhc32.exe 1912 Lolpah32.exe 2616 Lqmliqfj.exe 2604 Lqpiopdh.exe 2928 Lmfjcajl.exe 528 Ljjjmeie.exe 1860 Mogcelgm.exe 1748 Mqfooonp.exe 2128 Mcekkkmc.exe 1864 Mibdcakk.exe 624 Mcghajkq.exe 1704 Mekanbol.exe -
Loads dropped DLL 64 IoCs
pid Process 1348 edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe 1348 edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe 2236 Clfkfeno.exe 2236 Clfkfeno.exe 2816 Cbpcbo32.exe 2816 Cbpcbo32.exe 2776 Chmkkf32.exe 2776 Chmkkf32.exe 2704 Cogdhpkp.exe 2704 Cogdhpkp.exe 2724 Dhaefepn.exe 2724 Dhaefepn.exe 2792 Dalfdjdl.exe 2792 Dalfdjdl.exe 1344 Dgiomabc.exe 1344 Dgiomabc.exe 2336 Dpaceg32.exe 2336 Dpaceg32.exe 3012 Dilddl32.exe 3012 Dilddl32.exe 2208 Eeceim32.exe 2208 Eeceim32.exe 1300 Ecgeba32.exe 1300 Ecgeba32.exe 1636 Eehndm32.exe 1636 Eehndm32.exe 2640 Eaooin32.exe 2640 Eaooin32.exe 2396 Ekgcbcke.exe 2396 Ekgcbcke.exe 904 Fjlqcppm.exe 904 Fjlqcppm.exe 768 Fokfqflb.exe 768 Fokfqflb.exe 1540 Fjajno32.exe 1540 Fjajno32.exe 1328 Fonbff32.exe 1328 Fonbff32.exe 596 Fhfgokap.exe 596 Fhfgokap.exe 808 Gdodjlda.exe 808 Gdodjlda.exe 1360 Gimmpj32.exe 1360 Gimmpj32.exe 872 Gjqfmb32.exe 872 Gjqfmb32.exe 1872 Gjccbb32.exe 1872 Gjccbb32.exe 2824 Gamkol32.exe 2824 Gamkol32.exe 1580 Hpbhphie.exe 1580 Hpbhphie.exe 2908 Hflpmb32.exe 2908 Hflpmb32.exe 2836 Hfnmbbnp.exe 2836 Hfnmbbnp.exe 2848 Himionmc.exe 2848 Himionmc.exe 2688 Hpinagbm.exe 2688 Hpinagbm.exe 1236 Hnnkbd32.exe 1236 Hnnkbd32.exe 2164 Hehconob.exe 2164 Hehconob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jkgelh32.exe Joqdfghn.exe File created C:\Windows\SysWOW64\Lojclibo.exe Lbfcbdce.exe File opened for modification C:\Windows\SysWOW64\Ckajqo32.exe Bjanfl32.exe File opened for modification C:\Windows\SysWOW64\Cgmndokg.exe Cacegd32.exe File created C:\Windows\SysWOW64\Iilead32.dll Akhkkmdh.exe File created C:\Windows\SysWOW64\Pilcnl32.dll Adfbbabc.exe File created C:\Windows\SysWOW64\Bpdjjj32.dll Hedllgjk.exe File created C:\Windows\SysWOW64\Kgggld32.dll Nfhpjaba.exe File created C:\Windows\SysWOW64\Ahgdbk32.exe Qoopie32.exe File created C:\Windows\SysWOW64\Imcaijia.exe Icjmpd32.exe File created C:\Windows\SysWOW64\Mjgclcjh.exe Mgigpgkd.exe File opened for modification C:\Windows\SysWOW64\Cbcbag32.exe Cgmndokg.exe File opened for modification C:\Windows\SysWOW64\Hjcajn32.exe Hibebeqb.exe File created C:\Windows\SysWOW64\Jhgnbehe.exe Jbjejojn.exe File created C:\Windows\SysWOW64\Pkebob32.dll Aoijjjcl.exe File created C:\Windows\SysWOW64\Oljagk32.dll Johlpoij.exe File opened for modification C:\Windows\SysWOW64\Bbdmljln.exe Bfmlgi32.exe File created C:\Windows\SysWOW64\Mcfied32.dll Fghppa32.exe File created C:\Windows\SysWOW64\Gkaljdaf.exe Gicpnhbb.exe File opened for modification C:\Windows\SysWOW64\Ijmkkc32.exe Infjfblm.exe File created C:\Windows\SysWOW64\Enkfnp32.dll Ijmkkc32.exe File opened for modification C:\Windows\SysWOW64\Haejcj32.exe Hjkbfpah.exe File opened for modification C:\Windows\SysWOW64\Kcdljghj.exe Kpeonkig.exe File opened for modification C:\Windows\SysWOW64\Qdkpomkb.exe Qlcgmpkp.exe File created C:\Windows\SysWOW64\Lfckhc32.exe Lojclibo.exe File created C:\Windows\SysWOW64\Bdemaknk.dll Pmdocf32.exe File created C:\Windows\SysWOW64\Aeedad32.dll Dodlfmlb.exe File created C:\Windows\SysWOW64\Fcoaebjc.exe Fleihi32.exe File created C:\Windows\SysWOW64\Gqfmdp32.dll Gnphfppi.exe File created C:\Windows\SysWOW64\Mklgei32.dll Bbolge32.exe File created C:\Windows\SysWOW64\Cbdkdffm.exe Cmgblphf.exe File created C:\Windows\SysWOW64\Cmjoaofc.exe Cbdkdffm.exe File created C:\Windows\SysWOW64\Hnahndjj.dll Djibogkn.exe File created C:\Windows\SysWOW64\Jhfehjna.dll Jfkbqcam.exe File created C:\Windows\SysWOW64\Biehgccp.dll Kphpdhdh.exe File created C:\Windows\SysWOW64\Npdkdjhp.exe Mjgclcjh.exe File created C:\Windows\SysWOW64\Gklkdn32.exe Gpfggeai.exe File created C:\Windows\SysWOW64\Qegdad32.dll Ngafdepl.exe File created C:\Windows\SysWOW64\Ffmijgfa.dll Dfpcdh32.exe File opened for modification C:\Windows\SysWOW64\Hjpnjheg.exe Hdcebagp.exe File created C:\Windows\SysWOW64\Lbfcbdce.exe Klijjnen.exe File opened for modification C:\Windows\SysWOW64\Dofilm32.exe Ddqeodjj.exe File created C:\Windows\SysWOW64\Fbjpjphf.dll Gkiooocb.exe File created C:\Windows\SysWOW64\Dabkla32.exe Djibogkn.exe File created C:\Windows\SysWOW64\Caldepec.dll Acfonhgd.exe File created C:\Windows\SysWOW64\Glhhgahg.exe Giikkehc.exe File created C:\Windows\SysWOW64\Iqmcmaja.exe Ijbjpg32.exe File created C:\Windows\SysWOW64\Fokfqflb.exe Fjlqcppm.exe File created C:\Windows\SysWOW64\Efnklece.dll Hpinagbm.exe File created C:\Windows\SysWOW64\Conpdm32.exe Cicggcke.exe File opened for modification C:\Windows\SysWOW64\Jpnfdbig.exe Jhgnbehe.exe File opened for modification C:\Windows\SysWOW64\Lkepdbkb.exe Ldlghhde.exe File opened for modification C:\Windows\SysWOW64\Fdekigip.exe Fnkblm32.exe File created C:\Windows\SysWOW64\Ncnbqeoe.dll Kcdljghj.exe File created C:\Windows\SysWOW64\Gcfioj32.exe Ghaeaaki.exe File opened for modification C:\Windows\SysWOW64\Mekanbol.exe Mcghajkq.exe File created C:\Windows\SysWOW64\Nfdgdh32.dll Kekkkm32.exe File opened for modification C:\Windows\SysWOW64\Opqdcgib.exe Nfhpjaba.exe File created C:\Windows\SysWOW64\Pjaihpcj.dll Jkgelh32.exe File created C:\Windows\SysWOW64\Cbcikn32.exe Cabldeik.exe File created C:\Windows\SysWOW64\Kjonihkc.dll Cejhld32.exe File created C:\Windows\SysWOW64\Ccpgdcke.dll Cacegd32.exe File created C:\Windows\SysWOW64\Fpfkhbon.exe Fimclh32.exe File opened for modification C:\Windows\SysWOW64\Ifqfge32.exe Iadnon32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4512 1344 WerFault.exe 474 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fonbff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbdpena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjhkpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfgfack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpfgklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgdbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqljdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falakjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhpfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdpgnee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peapmhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabldeik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfepfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fangfcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifinfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfknooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompgqonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalfdjdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqkgbkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkdoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaldgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgnan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoijjjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodlfmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcnpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klimcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldndng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpaceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maabcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolpah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghjqlmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaegaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagdgaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifqfge32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahlnl32.dll" Nbaomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcikn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecmhqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljfdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqopmbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmndokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebendko.dll" Eolljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkiooocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqdaal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbamj32.dll" Deimaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdcebagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjallnfe.dll" Chmkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnoahlk.dll" Ekgcbcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpikne32.dll" Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clfkfeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imndmnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgejidgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhpen32.dll" Eaegaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjkdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlapijf.dll" Hpbhphie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaljdaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kppohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgpgjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljjjmeie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcagkmaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqljdclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapfmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqeqoc32.dll" Cbpcbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fonbff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbijpj32.dll" Bjanfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfohfk32.dll" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ancdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baojfoqh.dll" Ccdnipal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlgkakb.dll" Ohncdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oegflcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjincg32.dll" Jekoljgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojclibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfckhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqpiopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plneoace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nicfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kennjb32.dll" Bgihjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngafdepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpinagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfcbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mogcelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adbmjbif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdjfie32.dll" Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Emnelbdi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 2236 1348 edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe 30 PID 1348 wrote to memory of 2236 1348 edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe 30 PID 1348 wrote to memory of 2236 1348 edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe 30 PID 1348 wrote to memory of 2236 1348 edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe 30 PID 2236 wrote to memory of 2816 2236 Clfkfeno.exe 31 PID 2236 wrote to memory of 2816 2236 Clfkfeno.exe 31 PID 2236 wrote to memory of 2816 2236 Clfkfeno.exe 31 PID 2236 wrote to memory of 2816 2236 Clfkfeno.exe 31 PID 2816 wrote to memory of 2776 2816 Cbpcbo32.exe 32 PID 2816 wrote to memory of 2776 2816 Cbpcbo32.exe 32 PID 2816 wrote to memory of 2776 2816 Cbpcbo32.exe 32 PID 2816 wrote to memory of 2776 2816 Cbpcbo32.exe 32 PID 2776 wrote to memory of 2704 2776 Chmkkf32.exe 33 PID 2776 wrote to memory of 2704 2776 Chmkkf32.exe 33 PID 2776 wrote to memory of 2704 2776 Chmkkf32.exe 33 PID 2776 wrote to memory of 2704 2776 Chmkkf32.exe 33 PID 2704 wrote to memory of 2724 2704 Cogdhpkp.exe 34 PID 2704 wrote to memory of 2724 2704 Cogdhpkp.exe 34 PID 2704 wrote to memory of 2724 2704 Cogdhpkp.exe 34 PID 2704 wrote to memory of 2724 2704 Cogdhpkp.exe 34 PID 2724 wrote to memory of 2792 2724 Dhaefepn.exe 35 PID 2724 wrote to memory of 2792 2724 Dhaefepn.exe 35 PID 2724 wrote to memory of 2792 2724 Dhaefepn.exe 35 PID 2724 wrote to memory of 2792 2724 Dhaefepn.exe 35 PID 2792 wrote to memory of 1344 2792 Dalfdjdl.exe 36 PID 2792 wrote to memory of 1344 2792 Dalfdjdl.exe 36 PID 2792 wrote to memory of 1344 2792 Dalfdjdl.exe 36 PID 2792 wrote to memory of 1344 2792 Dalfdjdl.exe 36 PID 1344 wrote to memory of 2336 1344 Dgiomabc.exe 37 PID 1344 wrote to memory of 2336 1344 Dgiomabc.exe 37 PID 1344 wrote to memory of 2336 1344 Dgiomabc.exe 37 PID 1344 wrote to memory of 2336 1344 Dgiomabc.exe 37 PID 2336 wrote to memory of 3012 2336 Dpaceg32.exe 38 PID 2336 wrote to memory of 3012 2336 Dpaceg32.exe 38 PID 2336 wrote to memory of 3012 2336 Dpaceg32.exe 38 PID 2336 wrote to memory of 3012 2336 Dpaceg32.exe 38 PID 3012 wrote to memory of 2208 3012 Dilddl32.exe 39 PID 3012 wrote to memory of 2208 3012 Dilddl32.exe 39 PID 3012 wrote to memory of 2208 3012 Dilddl32.exe 39 PID 3012 wrote to memory of 2208 3012 Dilddl32.exe 39 PID 2208 wrote to memory of 1300 2208 Eeceim32.exe 40 PID 2208 wrote to memory of 1300 2208 Eeceim32.exe 40 PID 2208 wrote to memory of 1300 2208 Eeceim32.exe 40 PID 2208 wrote to memory of 1300 2208 Eeceim32.exe 40 PID 1300 wrote to memory of 1636 1300 Ecgeba32.exe 41 PID 1300 wrote to memory of 1636 1300 Ecgeba32.exe 41 PID 1300 wrote to memory of 1636 1300 Ecgeba32.exe 41 PID 1300 wrote to memory of 1636 1300 Ecgeba32.exe 41 PID 1636 wrote to memory of 2640 1636 Eehndm32.exe 42 PID 1636 wrote to memory of 2640 1636 Eehndm32.exe 42 PID 1636 wrote to memory of 2640 1636 Eehndm32.exe 42 PID 1636 wrote to memory of 2640 1636 Eehndm32.exe 42 PID 2640 wrote to memory of 2396 2640 Eaooin32.exe 43 PID 2640 wrote to memory of 2396 2640 Eaooin32.exe 43 PID 2640 wrote to memory of 2396 2640 Eaooin32.exe 43 PID 2640 wrote to memory of 2396 2640 Eaooin32.exe 43 PID 2396 wrote to memory of 904 2396 Ekgcbcke.exe 44 PID 2396 wrote to memory of 904 2396 Ekgcbcke.exe 44 PID 2396 wrote to memory of 904 2396 Ekgcbcke.exe 44 PID 2396 wrote to memory of 904 2396 Ekgcbcke.exe 44 PID 904 wrote to memory of 768 904 Fjlqcppm.exe 45 PID 904 wrote to memory of 768 904 Fjlqcppm.exe 45 PID 904 wrote to memory of 768 904 Fjlqcppm.exe 45 PID 904 wrote to memory of 768 904 Fjlqcppm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe"C:\Users\Admin\AppData\Local\Temp\edc267da8d429920d75ab8cb125861ba66189077db2f059a849f3b43230c5476N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Dilddl32.exeC:\Windows\system32\Dilddl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Eeceim32.exeC:\Windows\system32\Eeceim32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Gdodjlda.exeC:\Windows\system32\Gdodjlda.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Hpbhphie.exeC:\Windows\system32\Hpbhphie.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe33⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe34⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe35⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe39⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Jbjcaf32.exeC:\Windows\system32\Jbjcaf32.exe40⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe41⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Joqdfghn.exeC:\Windows\system32\Joqdfghn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe45⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe46⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Jkjaaglp.exeC:\Windows\system32\Jkjaaglp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe48⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe49⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe62⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe65⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe66⤵PID:824
-
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe68⤵PID:956
-
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe69⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe70⤵PID:2448
-
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe71⤵PID:2524
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe72⤵PID:2972
-
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe75⤵PID:2684
-
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe76⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe77⤵PID:2552
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe80⤵PID:2032
-
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe81⤵PID:2016
-
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe82⤵PID:2348
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe84⤵PID:1084
-
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe85⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe86⤵
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe87⤵PID:944
-
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe88⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe89⤵PID:2100
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe91⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe93⤵PID:2424
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe95⤵PID:3068
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe96⤵PID:2400
-
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe97⤵
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe98⤵PID:2472
-
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe99⤵PID:1856
-
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe100⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe101⤵PID:328
-
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe104⤵PID:1192
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe105⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe107⤵PID:2960
-
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Bbdmljln.exeC:\Windows\system32\Bbdmljln.exe109⤵PID:2720
-
C:\Windows\SysWOW64\Bphmfo32.exeC:\Windows\system32\Bphmfo32.exe110⤵PID:3028
-
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe111⤵PID:2772
-
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe112⤵PID:2052
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe114⤵PID:836
-
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe115⤵PID:2808
-
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe116⤵PID:1744
-
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe117⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe119⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe120⤵PID:3060
-
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe121⤵PID:1884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-