Analysis
-
max time kernel
146s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
-
Size
448KB
-
MD5
f239e5fe58b9463160c4f14c484da6d2
-
SHA1
2d4360dedb3cbc078c7a00bae1b84773bcb24254
-
SHA256
d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4
-
SHA512
8a96fe6f77e3703920d4088c4fefa894ca070af72ec70149115632598b5bb2dffac2e68054b212b5a2e3a046ec034d804141b287534c9257825b8deccd5d2ee3
-
SSDEEP
3072:k/SNB8wcgrdI0dc8d/MJfyEkxnaaYQ2lycpQXSzU9vbT1NgNYIx33rjpu2lycpQm:kq8SrdIRJ6EQnT2leTLgNPx33fpu2lD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigpdjpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebemmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiknb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncogge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donlcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkcpndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqjmec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhfkqdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adqbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfaknce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhhagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehfig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clecnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkihfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiepca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhnede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conbmfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbpnbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhcjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndekok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpgnbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmhej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqqqokla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnofbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqngkcjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimgcjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofgkebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofgkebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqhfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cijkaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijhompm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadjjfga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpanffhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkegbnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjndh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkppkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjmodph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfpco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkqmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbagf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghklq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojnhlch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chickknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noajmlnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjldiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohikeegf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnejqmie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojlfckj.exe -
Executes dropped EXE 64 IoCs
pid Process 2552 Lgdafeln.exe 2844 Loofjg32.exe 2244 Lkffohon.exe 2868 Mmcbbo32.exe 2692 Nmeohnil.exe 2760 Niombolm.exe 2384 Nloedjin.exe 2592 Odmgnl32.exe 3040 Oaaghp32.exe 2708 Oaeacppk.exe 2460 Poddphee.exe 1032 Paemac32.exe 584 Pdffcn32.exe 2504 Qnagbc32.exe 1148 Almjcobe.exe 920 Aggkdlod.exe 2308 Bqciha32.exe 2312 Bmjjmbgc.exe 1036 Bokcom32.exe 2268 Cmocha32.exe 2200 Copljmpo.exe 1164 Dcfknooi.exe 2532 Dhdddnep.exe 2108 Dpphipbk.exe 2332 Dmcibdad.exe 2872 Deajlf32.exe 2968 Epgoio32.exe 2764 Emailhfb.exe 2804 Ehiiop32.exe 1084 Feccqime.exe 2352 Fhdlbd32.exe 3008 Falakjag.exe 2992 Fclmem32.exe 2896 Fdmjmenh.exe 2196 Ggncop32.exe 1708 Gknhjn32.exe 2444 Gmbagf32.exe 1004 Hmdnme32.exe 2476 Hjhofj32.exe 2364 Hkiknb32.exe 1636 Hdapggln.exe 1528 Hogddpld.exe 836 Hiphmf32.exe 2224 Hqkmahpp.exe 1604 Ibjikk32.exe 880 Ijenpn32.exe 876 Icnbic32.exe 2744 Imfgahao.exe 2024 Ijjgkmqh.exe 2672 Ipgpcc32.exe 1220 Iceiibef.exe 2820 Jnojjp32.exe 2584 Jifkmh32.exe 2380 Jjhgdqef.exe 1052 Jlgcncli.exe 1044 Jmhpfl32.exe 2484 Jhndcd32.exe 3064 Johlpoij.exe 3056 Kdeehe32.exe 2952 Kiamql32.exe 2900 Kdgane32.exe 1944 Kkajkoml.exe 2068 Kdincdcl.exe 1116 Kifgllbc.exe -
Loads dropped DLL 64 IoCs
pid Process 1972 d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe 1972 d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe 2552 Lgdafeln.exe 2552 Lgdafeln.exe 2844 Loofjg32.exe 2844 Loofjg32.exe 2244 Lkffohon.exe 2244 Lkffohon.exe 2868 Mmcbbo32.exe 2868 Mmcbbo32.exe 2692 Nmeohnil.exe 2692 Nmeohnil.exe 2760 Niombolm.exe 2760 Niombolm.exe 2384 Nloedjin.exe 2384 Nloedjin.exe 2592 Odmgnl32.exe 2592 Odmgnl32.exe 3040 Oaaghp32.exe 3040 Oaaghp32.exe 2708 Oaeacppk.exe 2708 Oaeacppk.exe 2460 Poddphee.exe 2460 Poddphee.exe 1032 Paemac32.exe 1032 Paemac32.exe 584 Pdffcn32.exe 584 Pdffcn32.exe 2504 Qnagbc32.exe 2504 Qnagbc32.exe 1148 Almjcobe.exe 1148 Almjcobe.exe 920 Aggkdlod.exe 920 Aggkdlod.exe 2308 Bqciha32.exe 2308 Bqciha32.exe 2312 Bmjjmbgc.exe 2312 Bmjjmbgc.exe 1036 Bokcom32.exe 1036 Bokcom32.exe 2268 Cmocha32.exe 2268 Cmocha32.exe 2200 Copljmpo.exe 2200 Copljmpo.exe 1164 Dcfknooi.exe 1164 Dcfknooi.exe 2532 Dhdddnep.exe 2532 Dhdddnep.exe 2108 Dpphipbk.exe 2108 Dpphipbk.exe 2332 Dmcibdad.exe 2332 Dmcibdad.exe 2872 Deajlf32.exe 2872 Deajlf32.exe 2968 Epgoio32.exe 2968 Epgoio32.exe 2764 Emailhfb.exe 2764 Emailhfb.exe 2804 Ehiiop32.exe 2804 Ehiiop32.exe 1084 Feccqime.exe 1084 Feccqime.exe 2352 Fhdlbd32.exe 2352 Fhdlbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chmmbpjh.dll Epamlegl.exe File created C:\Windows\SysWOW64\Llagegfb.exe Lbffga32.exe File opened for modification C:\Windows\SysWOW64\Ehiiop32.exe Emailhfb.exe File created C:\Windows\SysWOW64\Jgmnhojl.exe Japfphle.exe File created C:\Windows\SysWOW64\Agikmeeg.exe Aomghchl.exe File created C:\Windows\SysWOW64\Alhgml32.dll Jfecfb32.exe File created C:\Windows\SysWOW64\Gibmglep.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Nkpbjn32.dll Lhhhjhkf.exe File opened for modification C:\Windows\SysWOW64\Ofellh32.exe Opkcpndm.exe File opened for modification C:\Windows\SysWOW64\Lanmde32.exe Lheilofe.exe File created C:\Windows\SysWOW64\Llmipdhh.dll Megmpi32.exe File opened for modification C:\Windows\SysWOW64\Pmkjog32.exe Oadjjfga.exe File created C:\Windows\SysWOW64\Bpmokk32.dll Pplejj32.exe File created C:\Windows\SysWOW64\Poddphee.exe Oaeacppk.exe File created C:\Windows\SysWOW64\Dicildoo.dll Eqklhh32.exe File created C:\Windows\SysWOW64\Jkcoee32.exe Jpjndh32.exe File created C:\Windows\SysWOW64\Bgebcj32.exe Bbhikcpn.exe File created C:\Windows\SysWOW64\Fkibbh32.exe Feljja32.exe File created C:\Windows\SysWOW64\Jjjpfl32.dll Bnafjo32.exe File created C:\Windows\SysWOW64\Dgpiebfa.dll Mcghcgfb.exe File created C:\Windows\SysWOW64\Chncajid.dll Fdldmokn.exe File created C:\Windows\SysWOW64\Jpneablg.dll Gcifdj32.exe File created C:\Windows\SysWOW64\Mgdpnqfn.exe Mgbcha32.exe File opened for modification C:\Windows\SysWOW64\Pifdog32.exe Ppnpfagc.exe File created C:\Windows\SysWOW64\Bhjfppbe.dll Jankcafl.exe File created C:\Windows\SysWOW64\Dhlgdedc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ggkoojip.exe Fmbkfd32.exe File opened for modification C:\Windows\SysWOW64\Llefld32.exe Kfknpj32.exe File created C:\Windows\SysWOW64\Jogidjmf.dll Aniffaim.exe File created C:\Windows\SysWOW64\Jhjldiln.exe Jndgfqlh.exe File opened for modification C:\Windows\SysWOW64\Cmqmgedi.exe Ceeibbgn.exe File created C:\Windows\SysWOW64\Aippolfc.dll Pijhompm.exe File opened for modification C:\Windows\SysWOW64\Jifkmh32.exe Jnojjp32.exe File created C:\Windows\SysWOW64\Hnepeg32.dll Mdmdpd32.exe File created C:\Windows\SysWOW64\Nhombc32.exe Nfpphp32.exe File created C:\Windows\SysWOW64\Aobici32.dll Mdpqec32.exe File opened for modification C:\Windows\SysWOW64\Ijcmipjh.exe Heedbbdb.exe File opened for modification C:\Windows\SysWOW64\Mnakjaoc.exe Mhdcbjal.exe File created C:\Windows\SysWOW64\Ecdkgg32.exe Emhbop32.exe File created C:\Windows\SysWOW64\Dnpgmp32.exe Dkakad32.exe File created C:\Windows\SysWOW64\Kpcngnob.exe Kmbeecaq.exe File created C:\Windows\SysWOW64\Hfiloiik.exe Haldgbkc.exe File opened for modification C:\Windows\SysWOW64\Jjkmhbek.exe Imgmonga.exe File opened for modification C:\Windows\SysWOW64\Obiiacpe.exe Nbfllc32.exe File created C:\Windows\SysWOW64\Pcgqoech.exe Pnkhfnea.exe File created C:\Windows\SysWOW64\Kcpahjen.dll Gbbbld32.exe File created C:\Windows\SysWOW64\Falnbokn.dll Dlomnp32.exe File created C:\Windows\SysWOW64\Nogmkk32.exe Nijdcdgn.exe File opened for modification C:\Windows\SysWOW64\Dclgbgbh.exe Dcijmhdj.exe File created C:\Windows\SysWOW64\Jajlck32.dll Fkkmoo32.exe File created C:\Windows\SysWOW64\Kbnppohp.dll Coidpiac.exe File created C:\Windows\SysWOW64\Ajkjij32.exe Aoeflamd.exe File created C:\Windows\SysWOW64\Gadlio32.exe Gdqlpj32.exe File created C:\Windows\SysWOW64\Ingmoj32.exe Icmlnmgb.exe File created C:\Windows\SysWOW64\Nbmcjc32.exe Nidoamch.exe File opened for modification C:\Windows\SysWOW64\Kkajkoml.exe Kdgane32.exe File created C:\Windows\SysWOW64\Agkhbece.exe Agikmeeg.exe File created C:\Windows\SysWOW64\Cfagmn32.exe Bjkfhm32.exe File created C:\Windows\SysWOW64\Ijpjlh32.dll Gffmqq32.exe File created C:\Windows\SysWOW64\Aomdpj32.exe Qegpbaqb.exe File created C:\Windows\SysWOW64\Ffecai32.dll Lgdafeln.exe File created C:\Windows\SysWOW64\Kjdpcnfi.exe Kononm32.exe File opened for modification C:\Windows\SysWOW64\Kjdpcnfi.exe Kononm32.exe File created C:\Windows\SysWOW64\Cieamnan.dll Kkglim32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 584 3616 Process not Found 1071 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpiphmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjlpclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkflii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdcbjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijdcdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnefpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoioi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idofmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifgllbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfflnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfeldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpgkicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaqoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnclbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekelo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpedmhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldedlfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppafopqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbacqdem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lapnmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeeeijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbbiafj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhjmpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkcpndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaffja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbfcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambnlmja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojnhlch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdockgqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqgbihel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngcnpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkmoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhioeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloedjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcdmikma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkakad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdckgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiglnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opempcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cckjeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgdealm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpfbemc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpqko32.dll" Afbbiafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enphee32.dll" Oefcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Holcka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepjpajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhghdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdabhkob.dll" Aeahjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpjiqdi.dll" Blcokf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkpeg32.dll" Jqonjmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjljj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkmdlem.dll" Fbgaahgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbbiafj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeakllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnikno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kennjioc.dll" Oggkklnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoeflamd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegpeh32.dll" Nfcfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmhbbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijjhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckboba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qokjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhddjigo.dll" Kikfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcomjk32.dll" Mofgkebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naconeen.dll" Ahbcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmjmenh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchjjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clnkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabafcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbfjogd.dll" Kononm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcaiqfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loofjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lppgfkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnpgqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdlkmb32.dll" Mkhnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfkdi32.dll" Ifoncgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdjmo32.dll" Njfnlahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calgci32.dll" Kfknpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknabn32.dll" Fjpggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finhinmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckopch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfanjcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bamdcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiaiooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkjbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgppdp32.dll" Mjlgdaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpgeh32.dll" Dpanffhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lapnmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjmbe32.dll" Gjeedcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabegpbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olclimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcfdcbe.dll" Hfkkmaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inpchbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcidofcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2552 1972 d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe 29 PID 1972 wrote to memory of 2552 1972 d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe 29 PID 1972 wrote to memory of 2552 1972 d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe 29 PID 1972 wrote to memory of 2552 1972 d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe 29 PID 2552 wrote to memory of 2844 2552 Lgdafeln.exe 30 PID 2552 wrote to memory of 2844 2552 Lgdafeln.exe 30 PID 2552 wrote to memory of 2844 2552 Lgdafeln.exe 30 PID 2552 wrote to memory of 2844 2552 Lgdafeln.exe 30 PID 2844 wrote to memory of 2244 2844 Loofjg32.exe 31 PID 2844 wrote to memory of 2244 2844 Loofjg32.exe 31 PID 2844 wrote to memory of 2244 2844 Loofjg32.exe 31 PID 2844 wrote to memory of 2244 2844 Loofjg32.exe 31 PID 2244 wrote to memory of 2868 2244 Lkffohon.exe 32 PID 2244 wrote to memory of 2868 2244 Lkffohon.exe 32 PID 2244 wrote to memory of 2868 2244 Lkffohon.exe 32 PID 2244 wrote to memory of 2868 2244 Lkffohon.exe 32 PID 2868 wrote to memory of 2692 2868 Mmcbbo32.exe 33 PID 2868 wrote to memory of 2692 2868 Mmcbbo32.exe 33 PID 2868 wrote to memory of 2692 2868 Mmcbbo32.exe 33 PID 2868 wrote to memory of 2692 2868 Mmcbbo32.exe 33 PID 2692 wrote to memory of 2760 2692 Nmeohnil.exe 34 PID 2692 wrote to memory of 2760 2692 Nmeohnil.exe 34 PID 2692 wrote to memory of 2760 2692 Nmeohnil.exe 34 PID 2692 wrote to memory of 2760 2692 Nmeohnil.exe 34 PID 2760 wrote to memory of 2384 2760 Niombolm.exe 35 PID 2760 wrote to memory of 2384 2760 Niombolm.exe 35 PID 2760 wrote to memory of 2384 2760 Niombolm.exe 35 PID 2760 wrote to memory of 2384 2760 Niombolm.exe 35 PID 2384 wrote to memory of 2592 2384 Nloedjin.exe 36 PID 2384 wrote to memory of 2592 2384 Nloedjin.exe 36 PID 2384 wrote to memory of 2592 2384 Nloedjin.exe 36 PID 2384 wrote to memory of 2592 2384 Nloedjin.exe 36 PID 2592 wrote to memory of 3040 2592 Odmgnl32.exe 37 PID 2592 wrote to memory of 3040 2592 Odmgnl32.exe 37 PID 2592 wrote to memory of 3040 2592 Odmgnl32.exe 37 PID 2592 wrote to memory of 3040 2592 Odmgnl32.exe 37 PID 3040 wrote to memory of 2708 3040 Oaaghp32.exe 38 PID 3040 wrote to memory of 2708 3040 Oaaghp32.exe 38 PID 3040 wrote to memory of 2708 3040 Oaaghp32.exe 38 PID 3040 wrote to memory of 2708 3040 Oaaghp32.exe 38 PID 2708 wrote to memory of 2460 2708 Oaeacppk.exe 39 PID 2708 wrote to memory of 2460 2708 Oaeacppk.exe 39 PID 2708 wrote to memory of 2460 2708 Oaeacppk.exe 39 PID 2708 wrote to memory of 2460 2708 Oaeacppk.exe 39 PID 2460 wrote to memory of 1032 2460 Poddphee.exe 40 PID 2460 wrote to memory of 1032 2460 Poddphee.exe 40 PID 2460 wrote to memory of 1032 2460 Poddphee.exe 40 PID 2460 wrote to memory of 1032 2460 Poddphee.exe 40 PID 1032 wrote to memory of 584 1032 Paemac32.exe 41 PID 1032 wrote to memory of 584 1032 Paemac32.exe 41 PID 1032 wrote to memory of 584 1032 Paemac32.exe 41 PID 1032 wrote to memory of 584 1032 Paemac32.exe 41 PID 584 wrote to memory of 2504 584 Pdffcn32.exe 42 PID 584 wrote to memory of 2504 584 Pdffcn32.exe 42 PID 584 wrote to memory of 2504 584 Pdffcn32.exe 42 PID 584 wrote to memory of 2504 584 Pdffcn32.exe 42 PID 2504 wrote to memory of 1148 2504 Qnagbc32.exe 43 PID 2504 wrote to memory of 1148 2504 Qnagbc32.exe 43 PID 2504 wrote to memory of 1148 2504 Qnagbc32.exe 43 PID 2504 wrote to memory of 1148 2504 Qnagbc32.exe 43 PID 1148 wrote to memory of 920 1148 Almjcobe.exe 44 PID 1148 wrote to memory of 920 1148 Almjcobe.exe 44 PID 1148 wrote to memory of 920 1148 Almjcobe.exe 44 PID 1148 wrote to memory of 920 1148 Almjcobe.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe"C:\Users\Admin\AppData\Local\Temp\d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe33⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe34⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ggncop32.exeC:\Windows\system32\Ggncop32.exe36⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe37⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe40⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe42⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe44⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe45⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ibjikk32.exeC:\Windows\system32\Ibjikk32.exe46⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe47⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Icnbic32.exeC:\Windows\system32\Icnbic32.exe48⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe49⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe50⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ipgpcc32.exeC:\Windows\system32\Ipgpcc32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe52⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Jnojjp32.exeC:\Windows\system32\Jnojjp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe54⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe55⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jlgcncli.exeC:\Windows\system32\Jlgcncli.exe56⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe57⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe59⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe60⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe61⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe63⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe64⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Kgjgepqm.exeC:\Windows\system32\Kgjgepqm.exe66⤵PID:2796
-
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe67⤵PID:2768
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe68⤵PID:1288
-
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe69⤵PID:936
-
C:\Windows\SysWOW64\Lklmoccl.exeC:\Windows\system32\Lklmoccl.exe70⤵PID:912
-
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe71⤵PID:2972
-
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe72⤵PID:2648
-
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe73⤵PID:1620
-
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe74⤵PID:2412
-
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe75⤵PID:1588
-
C:\Windows\SysWOW64\Mlnbmikh.exeC:\Windows\system32\Mlnbmikh.exe76⤵PID:2188
-
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe77⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe79⤵PID:1524
-
C:\Windows\SysWOW64\Mkelcenm.exeC:\Windows\system32\Mkelcenm.exe80⤵PID:2496
-
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe81⤵PID:2336
-
C:\Windows\SysWOW64\Nkhhie32.exeC:\Windows\system32\Nkhhie32.exe82⤵PID:2904
-
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe83⤵PID:1712
-
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe84⤵PID:1952
-
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe85⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Nplkhh32.exeC:\Windows\system32\Nplkhh32.exe86⤵PID:2944
-
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe87⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe88⤵PID:3036
-
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe89⤵PID:2392
-
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe90⤵PID:2128
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe91⤵PID:1744
-
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe92⤵PID:1260
-
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe93⤵PID:2340
-
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe95⤵PID:2916
-
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe96⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe97⤵PID:2440
-
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe98⤵PID:1692
-
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe99⤵PID:928
-
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe100⤵PID:1960
-
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe101⤵PID:2888
-
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe102⤵PID:1700
-
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe103⤵PID:1488
-
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe106⤵PID:872
-
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe107⤵PID:1652
-
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe108⤵PID:2988
-
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe109⤵PID:2140
-
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe111⤵PID:1704
-
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1896 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe113⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe114⤵PID:2656
-
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe115⤵PID:524
-
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe116⤵PID:1448
-
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe117⤵PID:824
-
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe118⤵PID:2932
-
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe120⤵PID:2040
-
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe121⤵PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-