Analysis
-
max time kernel
95s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 07:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe
-
Size
88KB
-
MD5
abdebcf7a9b45e046072863909478040
-
SHA1
ec3f8c3fc75b6d1d2dc0e24c801b8a5baf95a6f8
-
SHA256
af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5
-
SHA512
f6f64b0bdc26aab0d9146c3d296b5575128bbf0332d0327a73e3d3861f3dcd65123f684f8e5da0861b549d295f4e368b1c94f3a6ba62fe5f95676245e94d510c
-
SSDEEP
1536:fvjq0K1fkdrAi7A+g5uhCqZFwFL8QOVXtE1ukVd71rFZO7+90vT:fG2tA+g5uEqZCLi9EIIJ15ZO7Vr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgbeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkclnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcoklagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qngqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdqnhki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeahc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnbop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igijjqba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbbhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfdkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknhbool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddjdcfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhicck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bibcbbjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofcplid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdcqacf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhqico32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomhbchn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpajn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfconhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naoaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbgfkeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjopcfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkohnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocjqgnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckajbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhegkgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppeqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfkjeigq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljcnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjeddff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmimank.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbgmeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbcjdge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhopelgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiqephm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeppb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbkaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfhljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljcdifag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahojd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpakgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcigfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmplhqpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoonnac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhddbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakeable.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddanoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdbffpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqmmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmfoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihbigkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehmciho.exe -
Executes dropped EXE 64 IoCs
pid Process 1744 Affjehkb.exe 2796 Apoonnac.exe 2696 Aocloj32.exe 2736 Abadeh32.exe 2836 Bohejibe.exe 2764 Bhqico32.exe 2668 Bomneh32.exe 2312 Bhecnndq.exe 2652 Bndhle32.exe 2784 Comkdl32.exe 1956 Coogjloi.exe 2776 Chglca32.exe 1592 Ddnmhb32.exe 2080 Dgoejm32.exe 2424 Ddcfca32.exe 2240 Dnkjlg32.exe 968 Domgcocg.exe 1316 Emcdbc32.exe 1444 Emeahc32.exe 1736 Eeqele32.exe 584 Eagfaf32.exe 1080 Eeeogdga.exe 2560 Ejbgpk32.exe 1464 Fdmhnqjf.exe 2448 Fmgjmfod.exe 1372 Fdabip32.exe 2204 Fphbna32.exe 2144 Feekfh32.exe 2812 Gdlemd32.exe 2624 Ghjncbch.exe 2800 Ggpjdohp.exe 2852 Gaeoaggf.exe 2572 Hgbgjnen.exe 2004 Hlopbe32.exe 3036 Hpmhhcjk.exe 2780 Hlffcdnm.exe 3044 Ibghfj32.exe 936 Innhkknc.exe 2096 Ickacb32.exe 2964 Igijjqba.exe 2396 Iqanbf32.exe 1880 Jcbgdafb.exe 2044 Jkmlhccn.exe 1448 Jialbh32.exe 1784 Jkohnc32.exe 288 Jehmgigk.exe 2264 Jomadaga.exe 868 Jghfid32.exe 1576 Jjgbeo32.exe 1280 Kkfoobkc.exe 2236 Knekknjg.exe 3000 Kgmodcqg.exe 2816 Kaedmi32.exe 2708 Kgplicod.exe 2584 Kmldajml.exe 2656 Kcfmnd32.exe 1352 Kicefkbp.exe 3032 Kciidcbf.exe 3048 Lppjid32.exe 2476 Lelbak32.exe 1296 Llfkne32.exe 2548 Lflokn32.exe 928 Logdoq32.exe 960 Limhmije.exe -
Loads dropped DLL 64 IoCs
pid Process 2436 af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe 2436 af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe 1744 Affjehkb.exe 1744 Affjehkb.exe 2796 Apoonnac.exe 2796 Apoonnac.exe 2696 Aocloj32.exe 2696 Aocloj32.exe 2736 Abadeh32.exe 2736 Abadeh32.exe 2836 Bohejibe.exe 2836 Bohejibe.exe 2764 Bhqico32.exe 2764 Bhqico32.exe 2668 Bomneh32.exe 2668 Bomneh32.exe 2312 Bhecnndq.exe 2312 Bhecnndq.exe 2652 Bndhle32.exe 2652 Bndhle32.exe 2784 Comkdl32.exe 2784 Comkdl32.exe 1956 Coogjloi.exe 1956 Coogjloi.exe 2776 Chglca32.exe 2776 Chglca32.exe 1592 Ddnmhb32.exe 1592 Ddnmhb32.exe 2080 Dgoejm32.exe 2080 Dgoejm32.exe 2424 Ddcfca32.exe 2424 Ddcfca32.exe 2240 Dnkjlg32.exe 2240 Dnkjlg32.exe 968 Domgcocg.exe 968 Domgcocg.exe 1316 Emcdbc32.exe 1316 Emcdbc32.exe 1444 Emeahc32.exe 1444 Emeahc32.exe 1736 Eeqele32.exe 1736 Eeqele32.exe 584 Eagfaf32.exe 584 Eagfaf32.exe 1080 Eeeogdga.exe 1080 Eeeogdga.exe 2560 Ejbgpk32.exe 2560 Ejbgpk32.exe 1464 Fdmhnqjf.exe 1464 Fdmhnqjf.exe 2448 Fmgjmfod.exe 2448 Fmgjmfod.exe 1372 Fdabip32.exe 1372 Fdabip32.exe 2204 Fphbna32.exe 2204 Fphbna32.exe 2144 Feekfh32.exe 2144 Feekfh32.exe 2812 Gdlemd32.exe 2812 Gdlemd32.exe 2624 Ghjncbch.exe 2624 Ghjncbch.exe 2800 Ggpjdohp.exe 2800 Ggpjdohp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eiakhe32.dll Hgpkpc32.exe File created C:\Windows\SysWOW64\Kaakmnah.exe Khigdhkg.exe File created C:\Windows\SysWOW64\Dchmab32.dll Namgmp32.exe File created C:\Windows\SysWOW64\Ohakcgpa.exe Oecoglpm.exe File created C:\Windows\SysWOW64\Kjbbpfmo.dll Gjffphpc.exe File created C:\Windows\SysWOW64\Hmabegde.exe Hheimpfm.exe File opened for modification C:\Windows\SysWOW64\Kjijiaef.exe Kbbbgdec.exe File opened for modification C:\Windows\SysWOW64\Jchjbpmm.exe Jbfmkg32.exe File opened for modification C:\Windows\SysWOW64\Ehbfdkbn.exe Eojbke32.exe File created C:\Windows\SysWOW64\Bjbgfkeo.exe Beenndfh.exe File opened for modification C:\Windows\SysWOW64\Bbjaqa32.exe Bqjdfofc.exe File created C:\Windows\SysWOW64\Iqanbf32.exe Igijjqba.exe File created C:\Windows\SysWOW64\Jcbgdafb.exe Iqanbf32.exe File created C:\Windows\SysWOW64\Ebmoll32.dll Hcgled32.exe File created C:\Windows\SysWOW64\Cdiokeck.exe Ckajbp32.exe File opened for modification C:\Windows\SysWOW64\Dnobmnnj.exe Ddgndigj.exe File opened for modification C:\Windows\SysWOW64\Emkcfa32.exe Egnknj32.exe File opened for modification C:\Windows\SysWOW64\Gjffphpc.exe Gdlncn32.exe File opened for modification C:\Windows\SysWOW64\Pngbplfe.exe Oqcafg32.exe File opened for modification C:\Windows\SysWOW64\Apcjbeea.exe Aenfem32.exe File created C:\Windows\SysWOW64\Pfflenlq.dll Apcjbeea.exe File created C:\Windows\SysWOW64\Niappepp.exe Nollblqj.exe File opened for modification C:\Windows\SysWOW64\Dhnqjh32.exe Dgldbp32.exe File created C:\Windows\SysWOW64\Edhdpb32.exe Dmolch32.exe File created C:\Windows\SysWOW64\Fmgdagam.dll Mqpgcl32.exe File created C:\Windows\SysWOW64\Cqkikjfj.dll Bomneh32.exe File opened for modification C:\Windows\SysWOW64\Jfmppg32.exe Ikhkcn32.exe File created C:\Windows\SysWOW64\Ebdpch32.dll Dhmggi32.exe File opened for modification C:\Windows\SysWOW64\Iabjim32.exe Hegpim32.exe File opened for modification C:\Windows\SysWOW64\Qngqgh32.exe Qfllce32.exe File created C:\Windows\SysWOW64\Bonhdlok.exe Bmplhqpg.exe File opened for modification C:\Windows\SysWOW64\Kmgdld32.exe Kfmlojfi.exe File created C:\Windows\SysWOW64\Djpqda32.exe Ddchlj32.exe File created C:\Windows\SysWOW64\Emhpfk32.exe Efngjalp.exe File created C:\Windows\SysWOW64\Klmbiehh.exe Kadafl32.exe File opened for modification C:\Windows\SysWOW64\Ocoamc32.exe Ojfmdnba.exe File created C:\Windows\SysWOW64\Jldchj32.dll Apoagf32.exe File opened for modification C:\Windows\SysWOW64\Dogbll32.exe Ddanoc32.exe File created C:\Windows\SysWOW64\Mngbbf32.dll Dmgohcmk.exe File opened for modification C:\Windows\SysWOW64\Ekkkpj32.exe Epegcanj.exe File created C:\Windows\SysWOW64\Pjccjblp.exe Pbhnfpoe.exe File created C:\Windows\SysWOW64\Nleqboik.dll Ocjqgnil.exe File opened for modification C:\Windows\SysWOW64\Qmigpe32.exe Qoegfa32.exe File created C:\Windows\SysWOW64\Jgbohp32.dll Ekhlbb32.exe File created C:\Windows\SysWOW64\Keckkk32.dll Edhdpb32.exe File created C:\Windows\SysWOW64\Lakcmc32.dll Lgbiog32.exe File created C:\Windows\SysWOW64\Hkefbmfl.dll Ihoefn32.exe File created C:\Windows\SysWOW64\Mplekcch.dll Naoaig32.exe File created C:\Windows\SysWOW64\Bdbcadhb.dll Abjiclfa.exe File created C:\Windows\SysWOW64\Agjlbabp.dll Ljcdifag.exe File created C:\Windows\SysWOW64\Afolbogn.exe Amfgii32.exe File opened for modification C:\Windows\SysWOW64\Nhamklea.exe Nagdna32.exe File created C:\Windows\SysWOW64\Coopgc32.dll Akmnflml.exe File created C:\Windows\SysWOW64\Nekjkl32.dll Ddnmhb32.exe File created C:\Windows\SysWOW64\Ooihdn32.dll Jhlllb32.exe File created C:\Windows\SysWOW64\Hicbdbjb.exe Hpknlm32.exe File created C:\Windows\SysWOW64\Hfphljcm.exe Gjigfimh.exe File created C:\Windows\SysWOW64\Abjiclfa.exe Anlammpk.exe File created C:\Windows\SysWOW64\Ijopli32.dll Kbbbgdec.exe File opened for modification C:\Windows\SysWOW64\Adnacoid.exe Ajhmffin.exe File created C:\Windows\SysWOW64\Nbmcgb32.exe Namgmp32.exe File created C:\Windows\SysWOW64\Ponene32.dll Logdoq32.exe File created C:\Windows\SysWOW64\Ejjjef32.exe Ecpbhlqh.exe File opened for modification C:\Windows\SysWOW64\Hheimpfm.exe Holedjom.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3244 3204 WerFault.exe 779 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnbhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehmciho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehobde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meceqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfmqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonhdlok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkjhjja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaadblog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelmpjdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohmdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkjnfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpcblaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocpkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbkaeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkecmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmhhcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieihnpog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenogg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdlidkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpgachdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeeogdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokcfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknhbool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoqnijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmbjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqimmdmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjjef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnejfda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lconkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhamklea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhnhglo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqbkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jomadaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfmkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joncmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oholdojo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaqeebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgohcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphochbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncibpaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqcbjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfgjobl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlffcdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejcic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpkcbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfqeie32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeeogdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagocpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciojhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimapddj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdmoehh.dll" Oqcafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leoaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addacj32.dll" Kofbahdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhhqq32.dll" Pbdojdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almjjpbc.dll" Aaekfonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nicbejbc.dll" Fncfohel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niappepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahjqqja.dll" Anlammpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpaqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Namgmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gopjpf32.dll" Kkfoobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmmkoj.dll" Jfmppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjqgnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klejomgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfmpmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdlidkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefnlime.dll" Eeeogdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalha32.dll" Kaedmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kciidcbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddkhijb.dll" Lpbigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeebeo32.dll" Qccpmpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcdcqacf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhkndch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpcblaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copllmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khigdhkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhobdjl.dll" Aahofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnqbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfpkcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebnhgglb.dll" Ibghfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaeljln.dll" Amfgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boihof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affjehkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkpoq32.dll" Mcihlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglnfpia.dll" Dcigfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pepemajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhdace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjbbopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlammpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdehp32.dll" Gblmgmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplekcch.dll" Naoaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkcfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlkfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcfmnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihdhflm.dll" Dcoklagc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbkiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cckoni32.dll" Ihgnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epcjmbqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjamkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limohj32.dll" Pknhbool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjfkaiok.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1744 2436 af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe 29 PID 2436 wrote to memory of 1744 2436 af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe 29 PID 2436 wrote to memory of 1744 2436 af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe 29 PID 2436 wrote to memory of 1744 2436 af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe 29 PID 1744 wrote to memory of 2796 1744 Affjehkb.exe 30 PID 1744 wrote to memory of 2796 1744 Affjehkb.exe 30 PID 1744 wrote to memory of 2796 1744 Affjehkb.exe 30 PID 1744 wrote to memory of 2796 1744 Affjehkb.exe 30 PID 2796 wrote to memory of 2696 2796 Apoonnac.exe 31 PID 2796 wrote to memory of 2696 2796 Apoonnac.exe 31 PID 2796 wrote to memory of 2696 2796 Apoonnac.exe 31 PID 2796 wrote to memory of 2696 2796 Apoonnac.exe 31 PID 2696 wrote to memory of 2736 2696 Aocloj32.exe 32 PID 2696 wrote to memory of 2736 2696 Aocloj32.exe 32 PID 2696 wrote to memory of 2736 2696 Aocloj32.exe 32 PID 2696 wrote to memory of 2736 2696 Aocloj32.exe 32 PID 2736 wrote to memory of 2836 2736 Abadeh32.exe 33 PID 2736 wrote to memory of 2836 2736 Abadeh32.exe 33 PID 2736 wrote to memory of 2836 2736 Abadeh32.exe 33 PID 2736 wrote to memory of 2836 2736 Abadeh32.exe 33 PID 2836 wrote to memory of 2764 2836 Bohejibe.exe 34 PID 2836 wrote to memory of 2764 2836 Bohejibe.exe 34 PID 2836 wrote to memory of 2764 2836 Bohejibe.exe 34 PID 2836 wrote to memory of 2764 2836 Bohejibe.exe 34 PID 2764 wrote to memory of 2668 2764 Bhqico32.exe 35 PID 2764 wrote to memory of 2668 2764 Bhqico32.exe 35 PID 2764 wrote to memory of 2668 2764 Bhqico32.exe 35 PID 2764 wrote to memory of 2668 2764 Bhqico32.exe 35 PID 2668 wrote to memory of 2312 2668 Bomneh32.exe 36 PID 2668 wrote to memory of 2312 2668 Bomneh32.exe 36 PID 2668 wrote to memory of 2312 2668 Bomneh32.exe 36 PID 2668 wrote to memory of 2312 2668 Bomneh32.exe 36 PID 2312 wrote to memory of 2652 2312 Bhecnndq.exe 37 PID 2312 wrote to memory of 2652 2312 Bhecnndq.exe 37 PID 2312 wrote to memory of 2652 2312 Bhecnndq.exe 37 PID 2312 wrote to memory of 2652 2312 Bhecnndq.exe 37 PID 2652 wrote to memory of 2784 2652 Bndhle32.exe 38 PID 2652 wrote to memory of 2784 2652 Bndhle32.exe 38 PID 2652 wrote to memory of 2784 2652 Bndhle32.exe 38 PID 2652 wrote to memory of 2784 2652 Bndhle32.exe 38 PID 2784 wrote to memory of 1956 2784 Comkdl32.exe 39 PID 2784 wrote to memory of 1956 2784 Comkdl32.exe 39 PID 2784 wrote to memory of 1956 2784 Comkdl32.exe 39 PID 2784 wrote to memory of 1956 2784 Comkdl32.exe 39 PID 1956 wrote to memory of 2776 1956 Coogjloi.exe 40 PID 1956 wrote to memory of 2776 1956 Coogjloi.exe 40 PID 1956 wrote to memory of 2776 1956 Coogjloi.exe 40 PID 1956 wrote to memory of 2776 1956 Coogjloi.exe 40 PID 2776 wrote to memory of 1592 2776 Chglca32.exe 41 PID 2776 wrote to memory of 1592 2776 Chglca32.exe 41 PID 2776 wrote to memory of 1592 2776 Chglca32.exe 41 PID 2776 wrote to memory of 1592 2776 Chglca32.exe 41 PID 1592 wrote to memory of 2080 1592 Ddnmhb32.exe 42 PID 1592 wrote to memory of 2080 1592 Ddnmhb32.exe 42 PID 1592 wrote to memory of 2080 1592 Ddnmhb32.exe 42 PID 1592 wrote to memory of 2080 1592 Ddnmhb32.exe 42 PID 2080 wrote to memory of 2424 2080 Dgoejm32.exe 43 PID 2080 wrote to memory of 2424 2080 Dgoejm32.exe 43 PID 2080 wrote to memory of 2424 2080 Dgoejm32.exe 43 PID 2080 wrote to memory of 2424 2080 Dgoejm32.exe 43 PID 2424 wrote to memory of 2240 2424 Ddcfca32.exe 44 PID 2424 wrote to memory of 2240 2424 Ddcfca32.exe 44 PID 2424 wrote to memory of 2240 2424 Ddcfca32.exe 44 PID 2424 wrote to memory of 2240 2424 Ddcfca32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe"C:\Users\Admin\AppData\Local\Temp\af2a65029e43aae600fcdd0bd12f8fab7cf05e5783a55ab8b32ed0f5ca8304a5N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Affjehkb.exeC:\Windows\system32\Affjehkb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Apoonnac.exeC:\Windows\system32\Apoonnac.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Aocloj32.exeC:\Windows\system32\Aocloj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Abadeh32.exeC:\Windows\system32\Abadeh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bohejibe.exeC:\Windows\system32\Bohejibe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Bhqico32.exeC:\Windows\system32\Bhqico32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Bomneh32.exeC:\Windows\system32\Bomneh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Bhecnndq.exeC:\Windows\system32\Bhecnndq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Bndhle32.exeC:\Windows\system32\Bndhle32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Comkdl32.exeC:\Windows\system32\Comkdl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Coogjloi.exeC:\Windows\system32\Coogjloi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Chglca32.exeC:\Windows\system32\Chglca32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ddnmhb32.exeC:\Windows\system32\Ddnmhb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Dgoejm32.exeC:\Windows\system32\Dgoejm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Ddcfca32.exeC:\Windows\system32\Ddcfca32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Dnkjlg32.exeC:\Windows\system32\Dnkjlg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Domgcocg.exeC:\Windows\system32\Domgcocg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Emcdbc32.exeC:\Windows\system32\Emcdbc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Emeahc32.exeC:\Windows\system32\Emeahc32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Eeqele32.exeC:\Windows\system32\Eeqele32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Eagfaf32.exeC:\Windows\system32\Eagfaf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Eeeogdga.exeC:\Windows\system32\Eeeogdga.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Ejbgpk32.exeC:\Windows\system32\Ejbgpk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Fdmhnqjf.exeC:\Windows\system32\Fdmhnqjf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Fmgjmfod.exeC:\Windows\system32\Fmgjmfod.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Fdabip32.exeC:\Windows\system32\Fdabip32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Fphbna32.exeC:\Windows\system32\Fphbna32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Feekfh32.exeC:\Windows\system32\Feekfh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Gdlemd32.exeC:\Windows\system32\Gdlemd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Ghjncbch.exeC:\Windows\system32\Ghjncbch.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ggpjdohp.exeC:\Windows\system32\Ggpjdohp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Gaeoaggf.exeC:\Windows\system32\Gaeoaggf.exe33⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hgbgjnen.exeC:\Windows\system32\Hgbgjnen.exe34⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Hlopbe32.exeC:\Windows\system32\Hlopbe32.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Hpmhhcjk.exeC:\Windows\system32\Hpmhhcjk.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Hlffcdnm.exeC:\Windows\system32\Hlffcdnm.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Ibghfj32.exeC:\Windows\system32\Ibghfj32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Innhkknc.exeC:\Windows\system32\Innhkknc.exe39⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ickacb32.exeC:\Windows\system32\Ickacb32.exe40⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Igijjqba.exeC:\Windows\system32\Igijjqba.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Iqanbf32.exeC:\Windows\system32\Iqanbf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Jcbgdafb.exeC:\Windows\system32\Jcbgdafb.exe43⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Jkmlhccn.exeC:\Windows\system32\Jkmlhccn.exe44⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Jialbh32.exeC:\Windows\system32\Jialbh32.exe45⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Jkohnc32.exeC:\Windows\system32\Jkohnc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Jehmgigk.exeC:\Windows\system32\Jehmgigk.exe47⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Jomadaga.exeC:\Windows\system32\Jomadaga.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Jghfid32.exeC:\Windows\system32\Jghfid32.exe49⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Jjgbeo32.exeC:\Windows\system32\Jjgbeo32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Kkfoobkc.exeC:\Windows\system32\Kkfoobkc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Knekknjg.exeC:\Windows\system32\Knekknjg.exe52⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Kgmodcqg.exeC:\Windows\system32\Kgmodcqg.exe53⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kaedmi32.exeC:\Windows\system32\Kaedmi32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Kgplicod.exeC:\Windows\system32\Kgplicod.exe55⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Kmldajml.exeC:\Windows\system32\Kmldajml.exe56⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kcfmnd32.exeC:\Windows\system32\Kcfmnd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Kicefkbp.exeC:\Windows\system32\Kicefkbp.exe58⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Kciidcbf.exeC:\Windows\system32\Kciidcbf.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Lppjid32.exeC:\Windows\system32\Lppjid32.exe60⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Lelbak32.exeC:\Windows\system32\Lelbak32.exe61⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Llfkne32.exeC:\Windows\system32\Llfkne32.exe62⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Lflokn32.exeC:\Windows\system32\Lflokn32.exe63⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Logdoq32.exeC:\Windows\system32\Logdoq32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Limhmije.exeC:\Windows\system32\Limhmije.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Loiqephm.exeC:\Windows\system32\Loiqephm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Ldfimggd.exeC:\Windows\system32\Ldfimggd.exe67⤵PID:768
-
C:\Windows\SysWOW64\Lolmjpfj.exeC:\Windows\system32\Lolmjpfj.exe68⤵PID:1772
-
C:\Windows\SysWOW64\Mhdace32.exeC:\Windows\system32\Mhdace32.exe69⤵
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Monjpp32.exeC:\Windows\system32\Monjpp32.exe70⤵PID:1944
-
C:\Windows\SysWOW64\Mdkbhf32.exeC:\Windows\system32\Mdkbhf32.exe71⤵PID:2256
-
C:\Windows\SysWOW64\Maocak32.exeC:\Windows\system32\Maocak32.exe72⤵PID:2228
-
C:\Windows\SysWOW64\Mcpoicgg.exeC:\Windows\system32\Mcpoicgg.exe73⤵PID:2868
-
C:\Windows\SysWOW64\Mmecgl32.exeC:\Windows\system32\Mmecgl32.exe74⤵PID:2940
-
C:\Windows\SysWOW64\Mdplcfoi.exeC:\Windows\system32\Mdplcfoi.exe75⤵PID:2752
-
C:\Windows\SysWOW64\Meqhkn32.exeC:\Windows\system32\Meqhkn32.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Moimdckh.exeC:\Windows\system32\Moimdckh.exe77⤵PID:2660
-
C:\Windows\SysWOW64\Meceqn32.exeC:\Windows\system32\Meceqn32.exe78⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Ncgejbao.exeC:\Windows\system32\Ncgejbao.exe79⤵PID:2628
-
C:\Windows\SysWOW64\Niangl32.exeC:\Windows\system32\Niangl32.exe80⤵PID:1160
-
C:\Windows\SysWOW64\Ncibpaol.exeC:\Windows\system32\Ncibpaol.exe81⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Nehnlmnp.exeC:\Windows\system32\Nehnlmnp.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Nkdgddmg.exeC:\Windows\system32\Nkdgddmg.exe83⤵PID:2496
-
C:\Windows\SysWOW64\Nejkam32.exeC:\Windows\system32\Nejkam32.exe84⤵PID:944
-
C:\Windows\SysWOW64\Nnepfo32.exeC:\Windows\system32\Nnepfo32.exe85⤵PID:2972
-
C:\Windows\SysWOW64\Nkipoc32.exeC:\Windows\system32\Nkipoc32.exe86⤵PID:748
-
C:\Windows\SysWOW64\Nqfigjgi.exeC:\Windows\system32\Nqfigjgi.exe87⤵PID:1572
-
C:\Windows\SysWOW64\Ngpadd32.exeC:\Windows\system32\Ngpadd32.exe88⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Olmilk32.exeC:\Windows\system32\Olmilk32.exe89⤵PID:660
-
C:\Windows\SysWOW64\Ocgbiedj.exeC:\Windows\system32\Ocgbiedj.exe90⤵PID:2924
-
C:\Windows\SysWOW64\Onlffncp.exeC:\Windows\system32\Onlffncp.exe91⤵PID:1948
-
C:\Windows\SysWOW64\Oonbnfio.exeC:\Windows\system32\Oonbnfio.exe92⤵PID:2192
-
C:\Windows\SysWOW64\Omacgjhh.exeC:\Windows\system32\Omacgjhh.exe93⤵PID:2088
-
C:\Windows\SysWOW64\Oclkdd32.exeC:\Windows\system32\Oclkdd32.exe94⤵PID:1532
-
C:\Windows\SysWOW64\Okgphg32.exeC:\Windows\system32\Okgphg32.exe95⤵PID:2908
-
C:\Windows\SysWOW64\Ocnhjdnb.exeC:\Windows\system32\Ocnhjdnb.exe96⤵PID:2248
-
C:\Windows\SysWOW64\Omflbj32.exeC:\Windows\system32\Omflbj32.exe97⤵PID:2244
-
C:\Windows\SysWOW64\Pfoakokc.exeC:\Windows\system32\Pfoakokc.exe98⤵PID:568
-
C:\Windows\SysWOW64\Pkkicfik.exeC:\Windows\system32\Pkkicfik.exe99⤵PID:1376
-
C:\Windows\SysWOW64\Pqhblm32.exeC:\Windows\system32\Pqhblm32.exe100⤵PID:1588
-
C:\Windows\SysWOW64\Pknfif32.exeC:\Windows\system32\Pknfif32.exe101⤵PID:2124
-
C:\Windows\SysWOW64\Pbhnfpoe.exeC:\Windows\system32\Pbhnfpoe.exe102⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Pjccjblp.exeC:\Windows\system32\Pjccjblp.exe103⤵PID:2724
-
C:\Windows\SysWOW64\Pehggk32.exeC:\Windows\system32\Pehggk32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Pjeppb32.exeC:\Windows\system32\Pjeppb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Paohmlaj.exeC:\Windows\system32\Paohmlaj.exe106⤵PID:2188
-
C:\Windows\SysWOW64\Pjhlea32.exeC:\Windows\system32\Pjhlea32.exe107⤵PID:2680
-
C:\Windows\SysWOW64\Qaadblog.exeC:\Windows\system32\Qaadblog.exe108⤵
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Qbcajdee.exeC:\Windows\system32\Qbcajdee.exe109⤵PID:280
-
C:\Windows\SysWOW64\Qimifn32.exeC:\Windows\system32\Qimifn32.exe110⤵PID:2372
-
C:\Windows\SysWOW64\Qpgachdo.exeC:\Windows\system32\Qpgachdo.exe111⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Alnbhi32.exeC:\Windows\system32\Alnbhi32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Afcfebii.exeC:\Windows\system32\Afcfebii.exe113⤵PID:744
-
C:\Windows\SysWOW64\Abjgjc32.exeC:\Windows\system32\Abjgjc32.exe114⤵PID:880
-
C:\Windows\SysWOW64\Bejlkaoj.exeC:\Windows\system32\Bejlkaoj.exe115⤵PID:1524
-
C:\Windows\SysWOW64\Cpkclnea.exeC:\Windows\system32\Cpkclnea.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Dfobed32.exeC:\Windows\system32\Dfobed32.exe117⤵PID:2704
-
C:\Windows\SysWOW64\Dnopdf32.exeC:\Windows\system32\Dnopdf32.exe118⤵PID:1480
-
C:\Windows\SysWOW64\Dhddbo32.exeC:\Windows\system32\Dhddbo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Enamje32.exeC:\Windows\system32\Enamje32.exe120⤵PID:2420
-
C:\Windows\SysWOW64\Edkegplp.exeC:\Windows\system32\Edkegplp.exe121⤵PID:2380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-