Analysis
-
max time kernel
80s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 22:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe
-
Size
304KB
-
MD5
ee0168c9e505f0b5647d2b4afbf9627d
-
SHA1
0ad0720fd44f64ec898d3e7a31b8fb9abf205211
-
SHA256
c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be
-
SHA512
127d2e9f46bfc6eae399a7eaee2b81469d44f6d84ab26529686ec6964cff47beb538e4da735428a754b99e3e9e033c90b893fd12d15e4c92b7c13d244e6a9564
-
SSDEEP
6144:lu5W8wX+K+soB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6MxE:lu4+N6t3XGCByvNv54B9f01ZmHByvNE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cldagoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adjkol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmanmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djeoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnddkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efakjgni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbchijlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjoecjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olijen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgachdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhhbffkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiabbicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhgdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iocekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaonphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnlcoage.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paoedc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbhloho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhbhloho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abieajgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfmoabnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlccoje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikcqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbilpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnjnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enkgkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljmmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaiqnmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkgldag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphbom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boekqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnaadb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnogjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aplbin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clqknppe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmcmcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpabgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omfadgqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgoojgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfddcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbemeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpedph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olnnlpqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfjid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoaooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpejklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgibkki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edljfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggaeae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganiah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelfbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjchec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miqmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiapjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqknfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moanpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kakdbngn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebdffijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpoenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhdace32.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Iljjabfh.exe 2104 Jfoookfn.exe 2060 Joomnm32.exe 2804 Kdckgc32.exe 2868 Kckeno32.exe 2776 Lodbhp32.exe 2660 Ljbmdmfc.exe 2520 Lnpejklj.exe 2336 Mmjlfgml.exe 968 Miqmkh32.exe 2156 Nlafmcpa.exe 2888 Njklioqd.exe 2328 Odhjmc32.exe 692 Oijlpjma.exe 2968 Pgdfbb32.exe 2352 Pcmcmcjc.exe 1360 Qhabfibb.exe 2424 Bciohe32.exe 2132 Cnlcoage.exe 1572 Cfggccdp.exe 2608 Cpdeghgk.exe 612 Diljpn32.exe 2716 Dlppgihj.exe 2480 Dalhop32.exe 2008 Dmcidqlf.exe 2016 Eilfoapg.exe 2108 Eiocdand.exe 1096 Eiapjq32.exe 2768 Eehpoaaf.exe 2656 Flfbfken.exe 2588 Feofpqkn.exe 2560 Fnlhibff.exe 3052 Fgelbhmg.exe 1868 Gnaadb32.exe 2512 Gcnjmi32.exe 2860 Gmhkkn32.exe 1796 Gddppp32.exe 1384 Holqbipe.exe 2892 Hnanceem.exe 1056 Hgiblk32.exe 1820 Hpgcfmge.exe 1832 Hafppp32.exe 2220 Iiaddb32.exe 832 Icgibkki.exe 924 Iehejc32.exe 828 Ipnigl32.exe 1964 Incfhh32.exe 1520 Ipbcbkmh.exe 1532 Iacojc32.exe 984 Jaflocqd.exe 536 Jllpmlqj.exe 2252 Jdgeanne.exe 2664 Jpnffoci.exe 2916 Jppbkoaf.exe 2712 Jbnogjqj.exe 2180 Jlgcqp32.exe 2172 Koglbkdl.exe 1740 Kdinea32.exe 1212 Knabngen.exe 564 Lncodf32.exe 1968 Lnflif32.exe 2320 Ldpdfp32.exe 1548 Ljmmng32.exe 2280 Lfcmchla.exe -
Loads dropped DLL 64 IoCs
pid Process 1568 c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe 1568 c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe 2032 Iljjabfh.exe 2032 Iljjabfh.exe 2104 Jfoookfn.exe 2104 Jfoookfn.exe 2060 Joomnm32.exe 2060 Joomnm32.exe 2804 Kdckgc32.exe 2804 Kdckgc32.exe 2868 Kckeno32.exe 2868 Kckeno32.exe 2776 Lodbhp32.exe 2776 Lodbhp32.exe 2660 Ljbmdmfc.exe 2660 Ljbmdmfc.exe 2520 Lnpejklj.exe 2520 Lnpejklj.exe 2336 Mmjlfgml.exe 2336 Mmjlfgml.exe 968 Miqmkh32.exe 968 Miqmkh32.exe 2156 Nlafmcpa.exe 2156 Nlafmcpa.exe 2888 Njklioqd.exe 2888 Njklioqd.exe 2328 Odhjmc32.exe 2328 Odhjmc32.exe 692 Oijlpjma.exe 692 Oijlpjma.exe 2968 Pgdfbb32.exe 2968 Pgdfbb32.exe 2352 Pcmcmcjc.exe 2352 Pcmcmcjc.exe 1360 Qhabfibb.exe 1360 Qhabfibb.exe 2424 Bciohe32.exe 2424 Bciohe32.exe 2132 Cnlcoage.exe 2132 Cnlcoage.exe 1572 Cfggccdp.exe 1572 Cfggccdp.exe 2608 Cpdeghgk.exe 2608 Cpdeghgk.exe 612 Diljpn32.exe 612 Diljpn32.exe 2716 Dlppgihj.exe 2716 Dlppgihj.exe 2480 Dalhop32.exe 2480 Dalhop32.exe 2008 Dmcidqlf.exe 2008 Dmcidqlf.exe 2016 Eilfoapg.exe 2016 Eilfoapg.exe 2108 Eiocdand.exe 2108 Eiocdand.exe 1096 Eiapjq32.exe 1096 Eiapjq32.exe 2768 Eehpoaaf.exe 2768 Eehpoaaf.exe 2656 Flfbfken.exe 2656 Flfbfken.exe 2588 Feofpqkn.exe 2588 Feofpqkn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Incfhh32.exe Ipnigl32.exe File created C:\Windows\SysWOW64\Lmnmcjfa.dll Olnnlpqd.exe File created C:\Windows\SysWOW64\Aocifaog.exe Aghdboal.exe File created C:\Windows\SysWOW64\Picgek32.dll Olijen32.exe File opened for modification C:\Windows\SysWOW64\Jmbhhl32.exe Jcidofcf.exe File opened for modification C:\Windows\SysWOW64\Kheloh32.exe Kakdbngn.exe File created C:\Windows\SysWOW64\Onaflccf.exe Ojdnfemp.exe File opened for modification C:\Windows\SysWOW64\Ongijbja.exe Ododal32.exe File created C:\Windows\SysWOW64\Qpgachdo.exe Qjjikafh.exe File opened for modification C:\Windows\SysWOW64\Iiaddb32.exe Hafppp32.exe File opened for modification C:\Windows\SysWOW64\Jnpapn32.exe Jokdobid.exe File created C:\Windows\SysWOW64\Pekhohfk.exe Ppnpfagc.exe File created C:\Windows\SysWOW64\Jofaoo32.dll Ngmbfl32.exe File created C:\Windows\SysWOW64\Eghkce32.dll Onmmad32.exe File created C:\Windows\SysWOW64\Kmanmi32.exe Kpmmce32.exe File created C:\Windows\SysWOW64\Nlojcg32.exe Najfeo32.exe File created C:\Windows\SysWOW64\Iljjabfh.exe c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe File created C:\Windows\SysWOW64\Hafppp32.exe Hpgcfmge.exe File created C:\Windows\SysWOW64\Bkkfff32.dll Jppbkoaf.exe File created C:\Windows\SysWOW64\Bdidegec.exe Bnplhm32.exe File created C:\Windows\SysWOW64\Knabngen.exe Kdinea32.exe File created C:\Windows\SysWOW64\Iaqljman.exe Ifkgldag.exe File created C:\Windows\SysWOW64\Ckpeqn32.exe Cknikooe.exe File opened for modification C:\Windows\SysWOW64\Cfpmqg32.exe Bdlccoje.exe File created C:\Windows\SysWOW64\Ihddim32.dll Lbemeo32.exe File created C:\Windows\SysWOW64\Dfaokckn.exe Dhmnap32.exe File created C:\Windows\SysWOW64\Cpabgb32.exe Cbmann32.exe File created C:\Windows\SysWOW64\Iohiafag.exe Hnimgcjd.exe File opened for modification C:\Windows\SysWOW64\Ahfmjafa.exe Abieajgi.exe File opened for modification C:\Windows\SysWOW64\Ambohapm.exe Adjkol32.exe File created C:\Windows\SysWOW64\Flbmmm32.exe Effdef32.exe File created C:\Windows\SysWOW64\Ifkbna32.dll Qhabfibb.exe File created C:\Windows\SysWOW64\Dnmlom32.dll Apcfqd32.exe File created C:\Windows\SysWOW64\Ikaglgei.exe Ieeajmpo.exe File opened for modification C:\Windows\SysWOW64\Jopogefh.exe Jfdjbcim.exe File opened for modification C:\Windows\SysWOW64\Miqmkh32.exe Mmjlfgml.exe File opened for modification C:\Windows\SysWOW64\Bdidegec.exe Bnplhm32.exe File opened for modification C:\Windows\SysWOW64\Dmfkcf32.exe Cqokoeig.exe File opened for modification C:\Windows\SysWOW64\Dgdfocge.exe Dfcigk32.exe File opened for modification C:\Windows\SysWOW64\Nachlm32.exe Nkipoc32.exe File created C:\Windows\SysWOW64\Napdfalf.dll Nmbkje32.exe File opened for modification C:\Windows\SysWOW64\Pjgjmipf.exe Paoedc32.exe File created C:\Windows\SysWOW64\Fpffianh.exe Fpcicapk.exe File opened for modification C:\Windows\SysWOW64\Hpgcfmge.exe Hgiblk32.exe File created C:\Windows\SysWOW64\Jfdoaa32.dll Jlgcqp32.exe File created C:\Windows\SysWOW64\Ljaqha32.dll Cbmann32.exe File created C:\Windows\SysWOW64\Oglgfk32.dll Eadpig32.exe File created C:\Windows\SysWOW64\Gpagikgi.dll Dbhppd32.exe File opened for modification C:\Windows\SysWOW64\Pbjpmmij.exe Pfcohlce.exe File created C:\Windows\SysWOW64\Pdmdki32.dll Daidojeh.exe File created C:\Windows\SysWOW64\Gihdblpi.exe Gifgml32.exe File opened for modification C:\Windows\SysWOW64\Gbilpl32.exe Ffbkkkcb.exe File created C:\Windows\SysWOW64\Ghmkhobf.dll Bfbknkbn.exe File created C:\Windows\SysWOW64\Plkgkn32.exe Olijen32.exe File created C:\Windows\SysWOW64\Dgeogdgj.dll Chmpicbd.exe File created C:\Windows\SysWOW64\Pmbabjia.dll Epimjd32.exe File created C:\Windows\SysWOW64\Mklhpfho.exe Mgoojgai.exe File created C:\Windows\SysWOW64\Qdcdnm32.exe Piejbpgk.exe File created C:\Windows\SysWOW64\Idgpef32.dll Cchfek32.exe File opened for modification C:\Windows\SysWOW64\Fadoqc32.exe Fiijladb.exe File created C:\Windows\SysWOW64\Hoobij32.exe Hefmqdgj.exe File created C:\Windows\SysWOW64\Hdpcmpgl.exe Hdnggq32.exe File created C:\Windows\SysWOW64\Diljpn32.exe Cpdeghgk.exe File created C:\Windows\SysWOW64\Enfehe32.dll Hnanceem.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2980 1312 WerFault.exe 468 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejodpedp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjlfgml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cddqod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogbano.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgcflnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhdbhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gobijm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmanmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpieg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghhoej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labamcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adpmmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhabfibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nachlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onaflccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbegpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaonphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdckncfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcmnklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alifee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjkol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpeqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdokjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgeanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbanfbfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjlij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnplogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcicapk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafjlnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaadb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojnol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efakjgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocoodjan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmkmich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpoenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcgji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlofejig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgelbhmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdghpggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeajmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhjmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olqkapoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbmann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqjje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbmmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gelaggdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onejljep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecnblah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfcmchla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqknfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphbom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckddoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjjikafh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqfoeng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiaqqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoafcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfddcn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklpkihh.dll" Oddanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajeloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccqjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmohhofn.dll" Fiijladb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgbqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecncjckf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eidohiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jiiimmok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljbmdmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfggccdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feofpqkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apnlee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmipiod.dll" Aiagck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlofejig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppoijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libofaja.dll" Cojnol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlppgihj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkfff32.dll" Jppbkoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpicjend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhmnap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhgdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihddim32.dll" Lbemeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecaepid.dll" Gdgdhnml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Najfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmeam32.dll" Pednllpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chmpicbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gelaggdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqmogi32.dll" Epipbmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imliaacf.dll" Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Einljkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fifkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjchec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgplmij.dll" Lnpejklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peclcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndohbiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhbiqgd.dll" Dalhop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdneohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgjlojh.dll" Dfaokckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcmcmcjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bciohe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnlhibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkdbmblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgogbano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjopbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adjkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmanmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jllpmlqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqmljind.dll" Libhbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnpapn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkdokjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiohdb32.dll" Ajeloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfaokckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oddanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqhkhbnf.dll" Effdef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqlcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgidihm.dll" Hkkcdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmanmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knabngen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqhce32.dll" Ncnplogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligldf32.dll" Jfbnmckp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2032 1568 c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe 29 PID 1568 wrote to memory of 2032 1568 c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe 29 PID 1568 wrote to memory of 2032 1568 c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe 29 PID 1568 wrote to memory of 2032 1568 c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe 29 PID 2032 wrote to memory of 2104 2032 Iljjabfh.exe 30 PID 2032 wrote to memory of 2104 2032 Iljjabfh.exe 30 PID 2032 wrote to memory of 2104 2032 Iljjabfh.exe 30 PID 2032 wrote to memory of 2104 2032 Iljjabfh.exe 30 PID 2104 wrote to memory of 2060 2104 Jfoookfn.exe 31 PID 2104 wrote to memory of 2060 2104 Jfoookfn.exe 31 PID 2104 wrote to memory of 2060 2104 Jfoookfn.exe 31 PID 2104 wrote to memory of 2060 2104 Jfoookfn.exe 31 PID 2060 wrote to memory of 2804 2060 Joomnm32.exe 32 PID 2060 wrote to memory of 2804 2060 Joomnm32.exe 32 PID 2060 wrote to memory of 2804 2060 Joomnm32.exe 32 PID 2060 wrote to memory of 2804 2060 Joomnm32.exe 32 PID 2804 wrote to memory of 2868 2804 Kdckgc32.exe 33 PID 2804 wrote to memory of 2868 2804 Kdckgc32.exe 33 PID 2804 wrote to memory of 2868 2804 Kdckgc32.exe 33 PID 2804 wrote to memory of 2868 2804 Kdckgc32.exe 33 PID 2868 wrote to memory of 2776 2868 Kckeno32.exe 34 PID 2868 wrote to memory of 2776 2868 Kckeno32.exe 34 PID 2868 wrote to memory of 2776 2868 Kckeno32.exe 34 PID 2868 wrote to memory of 2776 2868 Kckeno32.exe 34 PID 2776 wrote to memory of 2660 2776 Lodbhp32.exe 35 PID 2776 wrote to memory of 2660 2776 Lodbhp32.exe 35 PID 2776 wrote to memory of 2660 2776 Lodbhp32.exe 35 PID 2776 wrote to memory of 2660 2776 Lodbhp32.exe 35 PID 2660 wrote to memory of 2520 2660 Ljbmdmfc.exe 36 PID 2660 wrote to memory of 2520 2660 Ljbmdmfc.exe 36 PID 2660 wrote to memory of 2520 2660 Ljbmdmfc.exe 36 PID 2660 wrote to memory of 2520 2660 Ljbmdmfc.exe 36 PID 2520 wrote to memory of 2336 2520 Lnpejklj.exe 37 PID 2520 wrote to memory of 2336 2520 Lnpejklj.exe 37 PID 2520 wrote to memory of 2336 2520 Lnpejklj.exe 37 PID 2520 wrote to memory of 2336 2520 Lnpejklj.exe 37 PID 2336 wrote to memory of 968 2336 Mmjlfgml.exe 38 PID 2336 wrote to memory of 968 2336 Mmjlfgml.exe 38 PID 2336 wrote to memory of 968 2336 Mmjlfgml.exe 38 PID 2336 wrote to memory of 968 2336 Mmjlfgml.exe 38 PID 968 wrote to memory of 2156 968 Miqmkh32.exe 39 PID 968 wrote to memory of 2156 968 Miqmkh32.exe 39 PID 968 wrote to memory of 2156 968 Miqmkh32.exe 39 PID 968 wrote to memory of 2156 968 Miqmkh32.exe 39 PID 2156 wrote to memory of 2888 2156 Nlafmcpa.exe 40 PID 2156 wrote to memory of 2888 2156 Nlafmcpa.exe 40 PID 2156 wrote to memory of 2888 2156 Nlafmcpa.exe 40 PID 2156 wrote to memory of 2888 2156 Nlafmcpa.exe 40 PID 2888 wrote to memory of 2328 2888 Njklioqd.exe 41 PID 2888 wrote to memory of 2328 2888 Njklioqd.exe 41 PID 2888 wrote to memory of 2328 2888 Njklioqd.exe 41 PID 2888 wrote to memory of 2328 2888 Njklioqd.exe 41 PID 2328 wrote to memory of 692 2328 Odhjmc32.exe 42 PID 2328 wrote to memory of 692 2328 Odhjmc32.exe 42 PID 2328 wrote to memory of 692 2328 Odhjmc32.exe 42 PID 2328 wrote to memory of 692 2328 Odhjmc32.exe 42 PID 692 wrote to memory of 2968 692 Oijlpjma.exe 43 PID 692 wrote to memory of 2968 692 Oijlpjma.exe 43 PID 692 wrote to memory of 2968 692 Oijlpjma.exe 43 PID 692 wrote to memory of 2968 692 Oijlpjma.exe 43 PID 2968 wrote to memory of 2352 2968 Pgdfbb32.exe 44 PID 2968 wrote to memory of 2352 2968 Pgdfbb32.exe 44 PID 2968 wrote to memory of 2352 2968 Pgdfbb32.exe 44 PID 2968 wrote to memory of 2352 2968 Pgdfbb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe"C:\Users\Admin\AppData\Local\Temp\c5ce986f716206db0710502cd0b913a3cc516f5d841a107c4ab66373eae942be.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Iljjabfh.exeC:\Windows\system32\Iljjabfh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Jfoookfn.exeC:\Windows\system32\Jfoookfn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Joomnm32.exeC:\Windows\system32\Joomnm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kdckgc32.exeC:\Windows\system32\Kdckgc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Kckeno32.exeC:\Windows\system32\Kckeno32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Lodbhp32.exeC:\Windows\system32\Lodbhp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ljbmdmfc.exeC:\Windows\system32\Ljbmdmfc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lnpejklj.exeC:\Windows\system32\Lnpejklj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mmjlfgml.exeC:\Windows\system32\Mmjlfgml.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Miqmkh32.exeC:\Windows\system32\Miqmkh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Nlafmcpa.exeC:\Windows\system32\Nlafmcpa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Njklioqd.exeC:\Windows\system32\Njklioqd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Odhjmc32.exeC:\Windows\system32\Odhjmc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Oijlpjma.exeC:\Windows\system32\Oijlpjma.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Pcmcmcjc.exeC:\Windows\system32\Pcmcmcjc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Qhabfibb.exeC:\Windows\system32\Qhabfibb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Bciohe32.exeC:\Windows\system32\Bciohe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Cnlcoage.exeC:\Windows\system32\Cnlcoage.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Cfggccdp.exeC:\Windows\system32\Cfggccdp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Cpdeghgk.exeC:\Windows\system32\Cpdeghgk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Dlppgihj.exeC:\Windows\system32\Dlppgihj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dalhop32.exeC:\Windows\system32\Dalhop32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Dmcidqlf.exeC:\Windows\system32\Dmcidqlf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Eilfoapg.exeC:\Windows\system32\Eilfoapg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Eiocdand.exeC:\Windows\system32\Eiocdand.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Eehpoaaf.exeC:\Windows\system32\Eehpoaaf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Flfbfken.exeC:\Windows\system32\Flfbfken.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Feofpqkn.exeC:\Windows\system32\Feofpqkn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Fgelbhmg.exeC:\Windows\system32\Fgelbhmg.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Gcnjmi32.exeC:\Windows\system32\Gcnjmi32.exe36⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe38⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Holqbipe.exeC:\Windows\system32\Holqbipe.exe39⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Hnanceem.exeC:\Windows\system32\Hnanceem.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Hgiblk32.exeC:\Windows\system32\Hgiblk32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Hpgcfmge.exeC:\Windows\system32\Hpgcfmge.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Hafppp32.exeC:\Windows\system32\Hafppp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Iiaddb32.exeC:\Windows\system32\Iiaddb32.exe44⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Icgibkki.exeC:\Windows\system32\Icgibkki.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Iehejc32.exeC:\Windows\system32\Iehejc32.exe46⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ipnigl32.exeC:\Windows\system32\Ipnigl32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Incfhh32.exeC:\Windows\system32\Incfhh32.exe48⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ipbcbkmh.exeC:\Windows\system32\Ipbcbkmh.exe49⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Iacojc32.exeC:\Windows\system32\Iacojc32.exe50⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Jaflocqd.exeC:\Windows\system32\Jaflocqd.exe51⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Jllpmlqj.exeC:\Windows\system32\Jllpmlqj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Jdgeanne.exeC:\Windows\system32\Jdgeanne.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Jpnffoci.exeC:\Windows\system32\Jpnffoci.exe54⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Jbnogjqj.exeC:\Windows\system32\Jbnogjqj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jlgcqp32.exeC:\Windows\system32\Jlgcqp32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Koglbkdl.exeC:\Windows\system32\Koglbkdl.exe58⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Kdinea32.exeC:\Windows\system32\Kdinea32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Knabngen.exeC:\Windows\system32\Knabngen.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Lncodf32.exeC:\Windows\system32\Lncodf32.exe61⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Lnflif32.exeC:\Windows\system32\Lnflif32.exe62⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ldpdfp32.exeC:\Windows\system32\Ldpdfp32.exe63⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ljmmng32.exeC:\Windows\system32\Ljmmng32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lfcmchla.exeC:\Windows\system32\Lfcmchla.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Lpiaqqlg.exeC:\Windows\system32\Lpiaqqlg.exe66⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Ljafifbh.exeC:\Windows\system32\Ljafifbh.exe67⤵PID:1344
-
C:\Windows\SysWOW64\Lqknfq32.exeC:\Windows\system32\Lqknfq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Mjdcofpe.exeC:\Windows\system32\Mjdcofpe.exe69⤵PID:2368
-
C:\Windows\SysWOW64\Mmdlqa32.exeC:\Windows\system32\Mmdlqa32.exe70⤵PID:2412
-
C:\Windows\SysWOW64\Mdpqec32.exeC:\Windows\system32\Mdpqec32.exe71⤵PID:2304
-
C:\Windows\SysWOW64\Moedbl32.exeC:\Windows\system32\Moedbl32.exe72⤵PID:1780
-
C:\Windows\SysWOW64\Mdbmkc32.exeC:\Windows\system32\Mdbmkc32.exe73⤵PID:1092
-
C:\Windows\SysWOW64\Mjoecjgf.exeC:\Windows\system32\Mjoecjgf.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Mgcflnfp.exeC:\Windows\system32\Mgcflnfp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Negffbdi.exeC:\Windows\system32\Negffbdi.exe76⤵PID:2544
-
C:\Windows\SysWOW64\Nmbkje32.exeC:\Windows\system32\Nmbkje32.exe77⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Nggpgn32.exeC:\Windows\system32\Nggpgn32.exe78⤵PID:2580
-
C:\Windows\SysWOW64\Ncnplogn.exeC:\Windows\system32\Ncnplogn.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Nfmlhjfb.exeC:\Windows\system32\Nfmlhjfb.exe80⤵PID:1428
-
C:\Windows\SysWOW64\Nbcmnklf.exeC:\Windows\system32\Nbcmnklf.exe81⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Nimeje32.exeC:\Windows\system32\Nimeje32.exe82⤵PID:2824
-
C:\Windows\SysWOW64\Nnjnbl32.exeC:\Windows\system32\Nnjnbl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Nedfofig.exeC:\Windows\system32\Nedfofig.exe84⤵PID:2144
-
C:\Windows\SysWOW64\Olnnlpqd.exeC:\Windows\system32\Olnnlpqd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Olqkapoa.exeC:\Windows\system32\Olqkapoa.exe86⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Odlpfblm.exeC:\Windows\system32\Odlpfblm.exe87⤵PID:1076
-
C:\Windows\SysWOW64\Onadck32.exeC:\Windows\system32\Onadck32.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Omfadgqj.exeC:\Windows\system32\Omfadgqj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Odqiaa32.exeC:\Windows\system32\Odqiaa32.exe90⤵PID:2748
-
C:\Windows\SysWOW64\Odcffafd.exeC:\Windows\system32\Odcffafd.exe91⤵PID:2816
-
C:\Windows\SysWOW64\Pmkjog32.exeC:\Windows\system32\Pmkjog32.exe92⤵PID:2592
-
C:\Windows\SysWOW64\Pfcohlce.exeC:\Windows\system32\Pfcohlce.exe93⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Pbjpmmij.exeC:\Windows\system32\Pbjpmmij.exe94⤵PID:1788
-
C:\Windows\SysWOW64\Ppnpfagc.exeC:\Windows\system32\Ppnpfagc.exe95⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Pekhohfk.exeC:\Windows\system32\Pekhohfk.exe96⤵PID:2228
-
C:\Windows\SysWOW64\Pemedh32.exeC:\Windows\system32\Pemedh32.exe97⤵PID:2188
-
C:\Windows\SysWOW64\Plgmabke.exeC:\Windows\system32\Plgmabke.exe98⤵PID:588
-
C:\Windows\SysWOW64\Qdbbedhp.exeC:\Windows\system32\Qdbbedhp.exe99⤵PID:1604
-
C:\Windows\SysWOW64\Qpicjend.exeC:\Windows\system32\Qpicjend.exe100⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Aiagck32.exeC:\Windows\system32\Aiagck32.exe101⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Agfhmo32.exeC:\Windows\system32\Agfhmo32.exe102⤵PID:1720
-
C:\Windows\SysWOW64\Apnlee32.exeC:\Windows\system32\Apnlee32.exe103⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Aghdboal.exeC:\Windows\system32\Aghdboal.exe104⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Aocifaog.exeC:\Windows\system32\Aocifaog.exe105⤵PID:2956
-
C:\Windows\SysWOW64\Apcfqd32.exeC:\Windows\system32\Apcfqd32.exe106⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Alifee32.exeC:\Windows\system32\Alifee32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Bfbknkbn.exeC:\Windows\system32\Bfbknkbn.exe108⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Bojogp32.exeC:\Windows\system32\Bojogp32.exe109⤵PID:1708
-
C:\Windows\SysWOW64\Bdghpggf.exeC:\Windows\system32\Bdghpggf.exe110⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Bnplhm32.exeC:\Windows\system32\Bnplhm32.exe111⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Bdidegec.exeC:\Windows\system32\Bdidegec.exe112⤵PID:2872
-
C:\Windows\SysWOW64\Bbmeokdm.exeC:\Windows\system32\Bbmeokdm.exe113⤵PID:1216
-
C:\Windows\SysWOW64\Bcoafcjk.exeC:\Windows\system32\Bcoafcjk.exe114⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Bqbbpghe.exeC:\Windows\system32\Bqbbpghe.exe115⤵PID:2248
-
C:\Windows\SysWOW64\Bgmjla32.exeC:\Windows\system32\Bgmjla32.exe116⤵PID:2216
-
C:\Windows\SysWOW64\Cgogbano.exeC:\Windows\system32\Cgogbano.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Cqgkkg32.exeC:\Windows\system32\Cqgkkg32.exe118⤵PID:2708
-
C:\Windows\SysWOW64\Cfddcn32.exeC:\Windows\system32\Cfddcn32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Cmnlphjd.exeC:\Windows\system32\Cmnlphjd.exe120⤵PID:3040
-
C:\Windows\SysWOW64\Cbkdhohk.exeC:\Windows\system32\Cbkdhohk.exe121⤵PID:1312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-