Analysis
-
max time kernel
77s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 11:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe
-
Size
168KB
-
MD5
ab7391ddfb4572cf9e21f99c0d445500
-
SHA1
2118f685b23c4b1791e32e81a649bbff089adba0
-
SHA256
bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3
-
SHA512
c396c98ca1d299ea420cc6031c8e1f50cc80e59a13cd6c443cac21be02f4a8e083e87ea47bb5dbaf4d8f022c1a196795f64d4b09625b9dbc1dc494008b2e9520
-
SSDEEP
3072:xroDOcBNPyygE2cpFwpDuJ8mF9YNTyr4p9t4W987u1j5FaoJ5pFwr:NoXBNTgqFwpo8mFCNkq9tr987u1dFVr0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oogdiqki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoipflcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agngqmhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngkphk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpnoebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofgkebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enamje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klipfpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakhckdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkodfeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qadhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjaih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnojkck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apflic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anppiikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjndha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjebbkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faqihe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmplqcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkefi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmacmkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiimnjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokapipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfoacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhbffkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjdecca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onaflccf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjllpopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdinla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didiclbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbadj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmkpfqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggcdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjhlqbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inioplah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhemjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhgjahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpehq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidekn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmoabnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhemjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebaggaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcacfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epimjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmhodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kliboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbeomon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfniekh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllpmlqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpapn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leallkbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfidhcbm.exe -
Executes dropped EXE 64 IoCs
pid Process 2812 Opaggdfa.exe 2764 Oogdiqki.exe 2672 Pkpacaoj.exe 2640 Pkdknq32.exe 2592 Pgnhiaof.exe 2968 Qokjcc32.exe 588 Aalcdngp.exe 2260 Agkhbece.exe 2436 Akiahcik.exe 896 Bokfaflj.exe 572 Biegpl32.exe 1248 Bbbedqcc.exe 608 Cjnjhcqo.exe 2216 Cfidhcbm.exe 1644 Diljpn32.exe 1944 Dhdcfj32.exe 1384 Dhfpljnn.exe 2988 Ddmaak32.exe 3016 Ecdkgg32.exe 808 Egbcne32.exe 1964 Eehpoaaf.exe 2412 Faanibeh.exe 2176 Flfbfken.exe 2680 Fphgpnhm.exe 2788 Fahdja32.exe 2116 Gbecce32.exe 2704 Gbhpidak.exe 2624 Hidekn32.exe 2596 Hblidd32.exe 2100 Hjgnhf32.exe 2384 Hembfo32.exe 2004 Hmhgjahb.exe 2504 Hjlhcegl.exe 552 Ifchhf32.exe 928 Immqeq32.exe 2220 Iidajaiq.exe 1916 Inqjbhhh.exe 1776 Ippflkok.exe 2232 Iihkea32.exe 600 Ieokjbkp.exe 916 Jjldbiig.exe 1440 Jllpmlqj.exe 1552 Jedeea32.exe 700 Jkqmnh32.exe 2324 Jhengldk.exe 1672 Jppbkoaf.exe 2456 Jgjkhi32.exe 2688 Keohie32.exe 2700 Klipfpeh.exe 2696 Klkmkoce.exe 2548 Kahedf32.exe 2660 Kajbie32.exe 2952 Koobcj32.exe 2236 Khgglp32.exe 2012 Lncodf32.exe 108 Lnflif32.exe 2468 Lccdamop.exe 1080 Llkijb32.exe 2124 Lgqmhk32.exe 2352 Llnepb32.exe 2284 Lgcjmkcd.exe 936 Mjdcofpe.exe 1856 Moqkgmol.exe 1404 Mkgllndq.exe -
Loads dropped DLL 64 IoCs
pid Process 2292 bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe 2292 bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe 2812 Opaggdfa.exe 2812 Opaggdfa.exe 2764 Oogdiqki.exe 2764 Oogdiqki.exe 2672 Pkpacaoj.exe 2672 Pkpacaoj.exe 2640 Pkdknq32.exe 2640 Pkdknq32.exe 2592 Pgnhiaof.exe 2592 Pgnhiaof.exe 2968 Qokjcc32.exe 2968 Qokjcc32.exe 588 Aalcdngp.exe 588 Aalcdngp.exe 2260 Agkhbece.exe 2260 Agkhbece.exe 2436 Akiahcik.exe 2436 Akiahcik.exe 896 Bokfaflj.exe 896 Bokfaflj.exe 572 Biegpl32.exe 572 Biegpl32.exe 1248 Bbbedqcc.exe 1248 Bbbedqcc.exe 608 Cjnjhcqo.exe 608 Cjnjhcqo.exe 2216 Cfidhcbm.exe 2216 Cfidhcbm.exe 1644 Diljpn32.exe 1644 Diljpn32.exe 1944 Dhdcfj32.exe 1944 Dhdcfj32.exe 1384 Dhfpljnn.exe 1384 Dhfpljnn.exe 2988 Ddmaak32.exe 2988 Ddmaak32.exe 3016 Ecdkgg32.exe 3016 Ecdkgg32.exe 808 Egbcne32.exe 808 Egbcne32.exe 1964 Eehpoaaf.exe 1964 Eehpoaaf.exe 2412 Faanibeh.exe 2412 Faanibeh.exe 2176 Flfbfken.exe 2176 Flfbfken.exe 2680 Fphgpnhm.exe 2680 Fphgpnhm.exe 2788 Fahdja32.exe 2788 Fahdja32.exe 2116 Gbecce32.exe 2116 Gbecce32.exe 2704 Gbhpidak.exe 2704 Gbhpidak.exe 2624 Hidekn32.exe 2624 Hidekn32.exe 2596 Hblidd32.exe 2596 Hblidd32.exe 2100 Hjgnhf32.exe 2100 Hjgnhf32.exe 2384 Hembfo32.exe 2384 Hembfo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhengldk.exe Jkqmnh32.exe File opened for modification C:\Windows\SysWOW64\Jakhckdb.exe Jfecfb32.exe File created C:\Windows\SysWOW64\Dkkpkkoa.dll Bhecnndq.exe File created C:\Windows\SysWOW64\Ikiffb32.dll Kicefkbp.exe File created C:\Windows\SysWOW64\Pggcdf32.exe Pmaofnkc.exe File created C:\Windows\SysWOW64\Bqnidh32.exe Bdghpggf.exe File created C:\Windows\SysWOW64\Hjiijqhk.dll Pihnbf32.exe File created C:\Windows\SysWOW64\Dhnlfhhj.dll Digfil32.exe File created C:\Windows\SysWOW64\Lhcpkmef.exe Lgdcqj32.exe File created C:\Windows\SysWOW64\Hjlhcegl.exe Hmhgjahb.exe File created C:\Windows\SysWOW64\Hpnpjadd.dll Cnaempnp.exe File opened for modification C:\Windows\SysWOW64\Fkhkha32.exe Fcacfd32.exe File created C:\Windows\SysWOW64\Hdeekjmc.exe Ggaeae32.exe File created C:\Windows\SysWOW64\Mdjppnkk.exe Lhcpkmef.exe File created C:\Windows\SysWOW64\Jhnmkopa.dll Pefjbknh.exe File created C:\Windows\SysWOW64\Nckmqnaa.dll Ckjaih32.exe File created C:\Windows\SysWOW64\Hembfo32.exe Hjgnhf32.exe File created C:\Windows\SysWOW64\Hmhgjahb.exe Hembfo32.exe File created C:\Windows\SysWOW64\Gpdjkk32.dll Cjebbkbk.exe File opened for modification C:\Windows\SysWOW64\Hbohblcg.exe Hgjdecca.exe File created C:\Windows\SysWOW64\Lpejnj32.exe Kdipnjfb.exe File created C:\Windows\SysWOW64\Gjkclekl.dll Jedeea32.exe File opened for modification C:\Windows\SysWOW64\Klaojm32.exe Kdfjekmd.exe File opened for modification C:\Windows\SysWOW64\Bdghpggf.exe Bkocgape.exe File opened for modification C:\Windows\SysWOW64\Gdnojkck.exe Ghhoej32.exe File opened for modification C:\Windows\SysWOW64\Mpaado32.exe Mkdhlh32.exe File created C:\Windows\SysWOW64\Lglioqmk.dll Phjgdm32.exe File opened for modification C:\Windows\SysWOW64\Jedeea32.exe Jllpmlqj.exe File created C:\Windows\SysWOW64\Odelfqfd.dll Jppbkoaf.exe File opened for modification C:\Windows\SysWOW64\Bjkfhm32.exe Bjhjcm32.exe File created C:\Windows\SysWOW64\Mcqaml32.dll Deficgha.exe File created C:\Windows\SysWOW64\Gnkong32.dll Mlhdbhng.exe File created C:\Windows\SysWOW64\Bmjnlp32.exe Bhnfci32.exe File created C:\Windows\SysWOW64\Faanibeh.exe Eehpoaaf.exe File created C:\Windows\SysWOW64\Anppiikk.exe Qgckgp32.exe File opened for modification C:\Windows\SysWOW64\Minika32.exe Mnheniaa.exe File created C:\Windows\SysWOW64\Cfimnmoa.exe Cnaempnp.exe File created C:\Windows\SysWOW64\Foeqlo32.exe Fppcjcfn.exe File created C:\Windows\SysWOW64\Glcmna32.exe Gejdagfg.exe File opened for modification C:\Windows\SysWOW64\Ejhnofjg.exe Ehgagn32.exe File opened for modification C:\Windows\SysWOW64\Cfidhcbm.exe Cjnjhcqo.exe File created C:\Windows\SysWOW64\Dhdcfj32.exe Diljpn32.exe File created C:\Windows\SysWOW64\Mpiphmfg.exe Mpgccm32.exe File created C:\Windows\SysWOW64\Oipdhm32.exe Ofbhlbja.exe File created C:\Windows\SysWOW64\Lcompj32.dll Banggcka.exe File opened for modification C:\Windows\SysWOW64\Jifemgnb.exe Jnpapn32.exe File opened for modification C:\Windows\SysWOW64\Pnlbea32.exe Pbeappqg.exe File created C:\Windows\SysWOW64\Ghlmpp32.dll Hdpcmpgl.exe File created C:\Windows\SysWOW64\Ghfcbfjl.dll Diljpn32.exe File created C:\Windows\SysWOW64\Nopqlj32.exe Nkbhfk32.exe File created C:\Windows\SysWOW64\Hgjdecca.exe Hnapln32.exe File created C:\Windows\SysWOW64\Gapgkelp.dll Kdipnjfb.exe File created C:\Windows\SysWOW64\Dcmfioph.dll Bebmgc32.exe File opened for modification C:\Windows\SysWOW64\Epimjd32.exe Ejleamon.exe File created C:\Windows\SysWOW64\Idalfo32.dll Eehbgj32.exe File created C:\Windows\SysWOW64\Didiclbc.exe Dhcmld32.exe File opened for modification C:\Windows\SysWOW64\Ghpnihbo.exe Gcceqa32.exe File created C:\Windows\SysWOW64\Kbjcgnoi.dll Jgqfefpe.exe File opened for modification C:\Windows\SysWOW64\Ncaokgmp.exe Nfmoabnf.exe File opened for modification C:\Windows\SysWOW64\Hblidd32.exe Hidekn32.exe File created C:\Windows\SysWOW64\Fdieagcj.dll Nedfofig.exe File created C:\Windows\SysWOW64\Oijnib32.exe Obpflhmi.exe File opened for modification C:\Windows\SysWOW64\Fppcjcfn.exe Fejomjgg.exe File opened for modification C:\Windows\SysWOW64\Gkdpdnfa.exe Galllipa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5012 540 WerFault.exe 523 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehcikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecncjckf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foeqlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpncdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapkke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npeaapmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahfcjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimbhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmgjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcbik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknbmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoihi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdipnjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkooed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjffphpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcmpgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deficgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjgdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holedjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcllq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegecopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndbbolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijnib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjjikafh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipfhbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpflhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqagddge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkeoekf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgbkihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhemjef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppbkoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaofnkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plnkkccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkefi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajpjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnicgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfnkajfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkmkoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgobkdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfaqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galllipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffkhlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiiono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdjfmed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inioplah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnejo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdiqki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diljpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifchhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpnikda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbajggh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpdnfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbnenli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlffncp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oappof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkpemf.dll" Kipfhbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhaodqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgjgbhm.dll" Mpgccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omipbpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ampbbbbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikmmqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjdecca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aponkg32.dll" Kaedmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfaqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaglqfnl.dll" Cnbgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hembfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocbcp32.dll" Minika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnjib32.dll" Fcfmacce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdqlpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdeimnj.dll" Hdeekjmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnfof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibghfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmliofdg.dll" Cnodfbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlhcegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdpqec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnlfhhj.dll" Digfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klaojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bannajom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbbppoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbenoccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djieql32.dll" Aalcdngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcajdg32.dll" Hjgnhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hembfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eebpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglmdbad.dll" Lmkhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opepik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieppah32.dll" Oclkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comgod32.dll" Pggcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjnjhcqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moqkgmol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boedge32.dll" Ejleamon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhdlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgcqpkl.dll" Hlcimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjdgnaj.dll" Fmbigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbgpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqdfbmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkhbece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqefbff.dll" Npcdlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfail32.dll" Encgglkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajfkpod.dll" Oipdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbidp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdmhnqjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcbkiem.dll" Ghmjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhdic32.dll" Dhdcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkbcoab.dll" Ofoemm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciemdiph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhcmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgobkdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkodfgc.dll" Oqkimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiakfn32.dll" Cgjlonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geflbg32.dll" Afpnikda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkcmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhjcm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2812 2292 bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe 29 PID 2292 wrote to memory of 2812 2292 bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe 29 PID 2292 wrote to memory of 2812 2292 bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe 29 PID 2292 wrote to memory of 2812 2292 bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe 29 PID 2812 wrote to memory of 2764 2812 Opaggdfa.exe 30 PID 2812 wrote to memory of 2764 2812 Opaggdfa.exe 30 PID 2812 wrote to memory of 2764 2812 Opaggdfa.exe 30 PID 2812 wrote to memory of 2764 2812 Opaggdfa.exe 30 PID 2764 wrote to memory of 2672 2764 Oogdiqki.exe 31 PID 2764 wrote to memory of 2672 2764 Oogdiqki.exe 31 PID 2764 wrote to memory of 2672 2764 Oogdiqki.exe 31 PID 2764 wrote to memory of 2672 2764 Oogdiqki.exe 31 PID 2672 wrote to memory of 2640 2672 Pkpacaoj.exe 32 PID 2672 wrote to memory of 2640 2672 Pkpacaoj.exe 32 PID 2672 wrote to memory of 2640 2672 Pkpacaoj.exe 32 PID 2672 wrote to memory of 2640 2672 Pkpacaoj.exe 32 PID 2640 wrote to memory of 2592 2640 Pkdknq32.exe 33 PID 2640 wrote to memory of 2592 2640 Pkdknq32.exe 33 PID 2640 wrote to memory of 2592 2640 Pkdknq32.exe 33 PID 2640 wrote to memory of 2592 2640 Pkdknq32.exe 33 PID 2592 wrote to memory of 2968 2592 Pgnhiaof.exe 34 PID 2592 wrote to memory of 2968 2592 Pgnhiaof.exe 34 PID 2592 wrote to memory of 2968 2592 Pgnhiaof.exe 34 PID 2592 wrote to memory of 2968 2592 Pgnhiaof.exe 34 PID 2968 wrote to memory of 588 2968 Qokjcc32.exe 35 PID 2968 wrote to memory of 588 2968 Qokjcc32.exe 35 PID 2968 wrote to memory of 588 2968 Qokjcc32.exe 35 PID 2968 wrote to memory of 588 2968 Qokjcc32.exe 35 PID 588 wrote to memory of 2260 588 Aalcdngp.exe 36 PID 588 wrote to memory of 2260 588 Aalcdngp.exe 36 PID 588 wrote to memory of 2260 588 Aalcdngp.exe 36 PID 588 wrote to memory of 2260 588 Aalcdngp.exe 36 PID 2260 wrote to memory of 2436 2260 Agkhbece.exe 37 PID 2260 wrote to memory of 2436 2260 Agkhbece.exe 37 PID 2260 wrote to memory of 2436 2260 Agkhbece.exe 37 PID 2260 wrote to memory of 2436 2260 Agkhbece.exe 37 PID 2436 wrote to memory of 896 2436 Akiahcik.exe 38 PID 2436 wrote to memory of 896 2436 Akiahcik.exe 38 PID 2436 wrote to memory of 896 2436 Akiahcik.exe 38 PID 2436 wrote to memory of 896 2436 Akiahcik.exe 38 PID 896 wrote to memory of 572 896 Bokfaflj.exe 39 PID 896 wrote to memory of 572 896 Bokfaflj.exe 39 PID 896 wrote to memory of 572 896 Bokfaflj.exe 39 PID 896 wrote to memory of 572 896 Bokfaflj.exe 39 PID 572 wrote to memory of 1248 572 Biegpl32.exe 40 PID 572 wrote to memory of 1248 572 Biegpl32.exe 40 PID 572 wrote to memory of 1248 572 Biegpl32.exe 40 PID 572 wrote to memory of 1248 572 Biegpl32.exe 40 PID 1248 wrote to memory of 608 1248 Bbbedqcc.exe 41 PID 1248 wrote to memory of 608 1248 Bbbedqcc.exe 41 PID 1248 wrote to memory of 608 1248 Bbbedqcc.exe 41 PID 1248 wrote to memory of 608 1248 Bbbedqcc.exe 41 PID 608 wrote to memory of 2216 608 Cjnjhcqo.exe 42 PID 608 wrote to memory of 2216 608 Cjnjhcqo.exe 42 PID 608 wrote to memory of 2216 608 Cjnjhcqo.exe 42 PID 608 wrote to memory of 2216 608 Cjnjhcqo.exe 42 PID 2216 wrote to memory of 1644 2216 Cfidhcbm.exe 43 PID 2216 wrote to memory of 1644 2216 Cfidhcbm.exe 43 PID 2216 wrote to memory of 1644 2216 Cfidhcbm.exe 43 PID 2216 wrote to memory of 1644 2216 Cfidhcbm.exe 43 PID 1644 wrote to memory of 1944 1644 Diljpn32.exe 44 PID 1644 wrote to memory of 1944 1644 Diljpn32.exe 44 PID 1644 wrote to memory of 1944 1644 Diljpn32.exe 44 PID 1644 wrote to memory of 1944 1644 Diljpn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe"C:\Users\Admin\AppData\Local\Temp\bf45ecb4ef6c82fb6d88e9e29120c2a5fce28933376b23e9e3acc05fb3859bf3N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Opaggdfa.exeC:\Windows\system32\Opaggdfa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Oogdiqki.exeC:\Windows\system32\Oogdiqki.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Pkpacaoj.exeC:\Windows\system32\Pkpacaoj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pkdknq32.exeC:\Windows\system32\Pkdknq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Pgnhiaof.exeC:\Windows\system32\Pgnhiaof.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Qokjcc32.exeC:\Windows\system32\Qokjcc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Aalcdngp.exeC:\Windows\system32\Aalcdngp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Akiahcik.exeC:\Windows\system32\Akiahcik.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Bokfaflj.exeC:\Windows\system32\Bokfaflj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Biegpl32.exeC:\Windows\system32\Biegpl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Bbbedqcc.exeC:\Windows\system32\Bbbedqcc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Cjnjhcqo.exeC:\Windows\system32\Cjnjhcqo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Cfidhcbm.exeC:\Windows\system32\Cfidhcbm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Dhdcfj32.exeC:\Windows\system32\Dhdcfj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Dhfpljnn.exeC:\Windows\system32\Dhfpljnn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Ddmaak32.exeC:\Windows\system32\Ddmaak32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Ecdkgg32.exeC:\Windows\system32\Ecdkgg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Egbcne32.exeC:\Windows\system32\Egbcne32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Eehpoaaf.exeC:\Windows\system32\Eehpoaaf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Faanibeh.exeC:\Windows\system32\Faanibeh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Flfbfken.exeC:\Windows\system32\Flfbfken.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Fphgpnhm.exeC:\Windows\system32\Fphgpnhm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Fahdja32.exeC:\Windows\system32\Fahdja32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Gbecce32.exeC:\Windows\system32\Gbecce32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Gbhpidak.exeC:\Windows\system32\Gbhpidak.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Hidekn32.exeC:\Windows\system32\Hidekn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Hblidd32.exeC:\Windows\system32\Hblidd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Hjgnhf32.exeC:\Windows\system32\Hjgnhf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Hembfo32.exeC:\Windows\system32\Hembfo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Hjlhcegl.exeC:\Windows\system32\Hjlhcegl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Ifchhf32.exeC:\Windows\system32\Ifchhf32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Immqeq32.exeC:\Windows\system32\Immqeq32.exe36⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Iidajaiq.exeC:\Windows\system32\Iidajaiq.exe37⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Inqjbhhh.exeC:\Windows\system32\Inqjbhhh.exe38⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ippflkok.exeC:\Windows\system32\Ippflkok.exe39⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Iihkea32.exeC:\Windows\system32\Iihkea32.exe40⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ieokjbkp.exeC:\Windows\system32\Ieokjbkp.exe41⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Jjldbiig.exeC:\Windows\system32\Jjldbiig.exe42⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Jllpmlqj.exeC:\Windows\system32\Jllpmlqj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Jedeea32.exeC:\Windows\system32\Jedeea32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Jkqmnh32.exeC:\Windows\system32\Jkqmnh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Jhengldk.exeC:\Windows\system32\Jhengldk.exe46⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Jgjkhi32.exeC:\Windows\system32\Jgjkhi32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Keohie32.exeC:\Windows\system32\Keohie32.exe49⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Klipfpeh.exeC:\Windows\system32\Klipfpeh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Kahedf32.exeC:\Windows\system32\Kahedf32.exe52⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe53⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Koobcj32.exeC:\Windows\system32\Koobcj32.exe54⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Khgglp32.exeC:\Windows\system32\Khgglp32.exe55⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lncodf32.exeC:\Windows\system32\Lncodf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Lnflif32.exeC:\Windows\system32\Lnflif32.exe57⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Lccdamop.exeC:\Windows\system32\Lccdamop.exe58⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Llkijb32.exeC:\Windows\system32\Llkijb32.exe59⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Lgqmhk32.exeC:\Windows\system32\Lgqmhk32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Llnepb32.exeC:\Windows\system32\Llnepb32.exe61⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Lgcjmkcd.exeC:\Windows\system32\Lgcjmkcd.exe62⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Mjdcofpe.exeC:\Windows\system32\Mjdcofpe.exe63⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Moqkgmol.exeC:\Windows\system32\Moqkgmol.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Mkgllndq.exeC:\Windows\system32\Mkgllndq.exe65⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Mdpqec32.exeC:\Windows\system32\Mdpqec32.exe66⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Mnheniaa.exeC:\Windows\system32\Mnheniaa.exe67⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Minika32.exeC:\Windows\system32\Minika32.exe68⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Mqinpd32.exeC:\Windows\system32\Mqinpd32.exe69⤵PID:2432
-
C:\Windows\SysWOW64\Mknbmm32.exeC:\Windows\system32\Mknbmm32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Mmpodedg.exeC:\Windows\system32\Mmpodedg.exe71⤵PID:2804
-
C:\Windows\SysWOW64\Nmbkje32.exeC:\Windows\system32\Nmbkje32.exe72⤵PID:2808
-
C:\Windows\SysWOW64\Njflci32.exeC:\Windows\system32\Njflci32.exe73⤵PID:2612
-
C:\Windows\SysWOW64\Npcdlp32.exeC:\Windows\system32\Npcdlp32.exe74⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Npeaapmb.exeC:\Windows\system32\Npeaapmb.exe75⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\Nbcmnklf.exeC:\Windows\system32\Nbcmnklf.exe76⤵PID:1960
-
C:\Windows\SysWOW64\Nmiakdll.exeC:\Windows\system32\Nmiakdll.exe77⤵PID:2444
-
C:\Windows\SysWOW64\Nedfofig.exeC:\Windows\system32\Nedfofig.exe78⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Oheoaa32.exeC:\Windows\system32\Oheoaa32.exe79⤵PID:1260
-
C:\Windows\SysWOW64\Oamcjgmi.exeC:\Windows\system32\Oamcjgmi.exe80⤵PID:2112
-
C:\Windows\SysWOW64\Oappof32.exeC:\Windows\system32\Oappof32.exe81⤵
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Ohjhlqbc.exeC:\Windows\system32\Ohjhlqbc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Ofoemm32.exeC:\Windows\system32\Ofoemm32.exe83⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Oadjjfga.exeC:\Windows\system32\Oadjjfga.exe84⤵PID:1124
-
C:\Windows\SysWOW64\Plnkkccp.exeC:\Windows\system32\Plnkkccp.exe85⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Qganapgc.exeC:\Windows\system32\Qganapgc.exe86⤵PID:2452
-
C:\Windows\SysWOW64\Qgckgp32.exeC:\Windows\system32\Qgckgp32.exe87⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Anppiikk.exeC:\Windows\system32\Anppiikk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Aghdboal.exeC:\Windows\system32\Aghdboal.exe89⤵PID:2892
-
C:\Windows\SysWOW64\Appikd32.exeC:\Windows\system32\Appikd32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Ahlnpg32.exeC:\Windows\system32\Ahlnpg32.exe91⤵PID:2604
-
C:\Windows\SysWOW64\Aoeflamd.exeC:\Windows\system32\Aoeflamd.exe92⤵PID:2628
-
C:\Windows\SysWOW64\Afpnikda.exeC:\Windows\system32\Afpnikda.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Aohbaq32.exeC:\Windows\system32\Aohbaq32.exe94⤵PID:1580
-
C:\Windows\SysWOW64\Bkocgape.exeC:\Windows\system32\Bkocgape.exe95⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Bdghpggf.exeC:\Windows\system32\Bdghpggf.exe96⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Bqnidh32.exeC:\Windows\system32\Bqnidh32.exe97⤵PID:2088
-
C:\Windows\SysWOW64\Bkcmba32.exeC:\Windows\system32\Bkcmba32.exe98⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Bcoafcjk.exeC:\Windows\system32\Bcoafcjk.exe99⤵PID:804
-
C:\Windows\SysWOW64\Bjhjcm32.exeC:\Windows\system32\Bjhjcm32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Bjkfhm32.exeC:\Windows\system32\Bjkfhm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Ccckabef.exeC:\Windows\system32\Ccckabef.exe102⤵PID:2460
-
C:\Windows\SysWOW64\Cipcii32.exeC:\Windows\system32\Cipcii32.exe103⤵PID:1060
-
C:\Windows\SysWOW64\Ccehgb32.exeC:\Windows\system32\Ccehgb32.exe104⤵PID:3056
-
C:\Windows\SysWOW64\Cbkdhohk.exeC:\Windows\system32\Cbkdhohk.exe105⤵PID:1596
-
C:\Windows\SysWOW64\Ciemdiph.exeC:\Windows\system32\Ciemdiph.exe106⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Cnaempnp.exeC:\Windows\system32\Cnaempnp.exe107⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Cfimnmoa.exeC:\Windows\system32\Cfimnmoa.exe108⤵PID:1328
-
C:\Windows\SysWOW64\Cndbbolm.exeC:\Windows\system32\Cndbbolm.exe109⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Diifph32.exeC:\Windows\system32\Diifph32.exe110⤵PID:2852
-
C:\Windows\SysWOW64\Dbbkhnbc.exeC:\Windows\system32\Dbbkhnbc.exe111⤵PID:2204
-
C:\Windows\SysWOW64\Dljoac32.exeC:\Windows\system32\Dljoac32.exe112⤵PID:1728
-
C:\Windows\SysWOW64\Dhapfd32.exeC:\Windows\system32\Dhapfd32.exe113⤵PID:1020
-
C:\Windows\SysWOW64\Dnkhcnfe.exeC:\Windows\system32\Dnkhcnfe.exe114⤵PID:1104
-
C:\Windows\SysWOW64\Dhcmld32.exeC:\Windows\system32\Dhcmld32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Didiclbc.exeC:\Windows\system32\Didiclbc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Digfil32.exeC:\Windows\system32\Digfil32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Efkfbp32.exeC:\Windows\system32\Efkfbp32.exe118⤵PID:2644
-
C:\Windows\SysWOW64\Elhokg32.exeC:\Windows\system32\Elhokg32.exe119⤵PID:2740
-
C:\Windows\SysWOW64\Ebaggaeo.exeC:\Windows\system32\Ebaggaeo.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Ehnpph32.exeC:\Windows\system32\Ehnpph32.exe121⤵PID:2832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-