Analysis
-
max time kernel
20s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 01:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe
-
Size
96KB
-
MD5
dec971891359fd42cfe194d80f4f82f0
-
SHA1
2cbc6b443b1008b96e2d9c7826f5e5f0c1bbf8d6
-
SHA256
9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573d
-
SHA512
b4edec6680d42deb869b6b24fb5f4b00066d49c7e33036434a0c16ace4a7e2766ce36246d2c70b088be9b39a74cfb5191e1eb57784ce2d0dc64ed1cb4215ed09
-
SSDEEP
1536:8X8KQd2dgUuEFi1OSrjfd+CQg2Lk1VPXuhiTMuZXGTIVefVDkryyAyqX:a8/rEFdSvfIaVPXuhuXGQmVDeCyqX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnmhhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkohc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqdcgib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aabfqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hancef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbdje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmiaknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqdcgib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginefe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiocbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glajmppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfenjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkconepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dippfplg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfenjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmgeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnbmikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fangfcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faedpdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbjpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galfpgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaoeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npngng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmlcpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgmka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galfpgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfookk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkohc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggeeo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2028 Clkfjman.exe 2172 Dahobdpe.exe 2912 Dnlolhoo.exe 2888 Dpmlcpdm.exe 2936 Dbqajk32.exe 2036 Dogbolep.exe 1636 Eiocbd32.exe 2668 Elpldp32.exe 3000 Eehqme32.exe 552 Eaoaafli.exe 816 Epdncb32.exe 3028 Flkohc32.exe 1252 Fiopah32.exe 2536 Fgcpkldh.exe 2872 Fkeedo32.exe 2492 Gdpfbd32.exe 1056 Gnjhaj32.exe 2652 Gknhjn32.exe 1496 Gqkqbe32.exe 1784 Hggeeo32.exe 1160 Hhhblgim.exe 2644 Hfookk32.exe 1572 Hnjdpm32.exe 1904 Hbhmfk32.exe 2352 Hgeenb32.exe 1596 Hjcajn32.exe 2440 Iclfccmq.exe 2148 Iapfmg32.exe 2900 Ijhkembk.exe 2724 Icbldbgi.exe 2804 Ipimic32.exe 2748 Jmmmbg32.exe 2024 Jnafop32.exe 2032 Jadlgjjq.exe 1032 Jmkmlk32.exe 852 Kmmiaknb.exe 1464 Kfenjq32.exe 580 Kocodbpk.exe 1832 Lafekm32.exe 1988 Ldgnmhhj.exe 2268 Ldikbhfh.exe 2060 Lnaokn32.exe 1128 Lgjcdc32.exe 1888 Mjmiknng.exe 2616 Mbhnpplb.exe 1820 Mlnbmikh.exe 2220 Mbkkepio.exe 2480 Mkconepp.exe 2040 Mdkcgk32.exe 1716 Moahdd32.exe 2980 Niilmi32.exe 2908 Njjieace.exe 2796 Nccmng32.exe 2696 Nnhakp32.exe 3056 Nfcfob32.exe 2704 Nmnoll32.exe 1116 Njaoeq32.exe 1424 Npngng32.exe 2940 Oiglfm32.exe 3020 Opqdcgib.exe 1720 Oenmkngi.exe 2276 Opcaiggo.exe 2212 Oikeal32.exe 2232 Obdjjb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe 2412 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe 2028 Clkfjman.exe 2028 Clkfjman.exe 2172 Dahobdpe.exe 2172 Dahobdpe.exe 2912 Dnlolhoo.exe 2912 Dnlolhoo.exe 2888 Dpmlcpdm.exe 2888 Dpmlcpdm.exe 2936 Dbqajk32.exe 2936 Dbqajk32.exe 2036 Dogbolep.exe 2036 Dogbolep.exe 1636 Eiocbd32.exe 1636 Eiocbd32.exe 2668 Elpldp32.exe 2668 Elpldp32.exe 3000 Eehqme32.exe 3000 Eehqme32.exe 552 Eaoaafli.exe 552 Eaoaafli.exe 816 Epdncb32.exe 816 Epdncb32.exe 3028 Flkohc32.exe 3028 Flkohc32.exe 1252 Fiopah32.exe 1252 Fiopah32.exe 2536 Fgcpkldh.exe 2536 Fgcpkldh.exe 2872 Fkeedo32.exe 2872 Fkeedo32.exe 2492 Gdpfbd32.exe 2492 Gdpfbd32.exe 1056 Gnjhaj32.exe 1056 Gnjhaj32.exe 2652 Gknhjn32.exe 2652 Gknhjn32.exe 1496 Gqkqbe32.exe 1496 Gqkqbe32.exe 1784 Hggeeo32.exe 1784 Hggeeo32.exe 1160 Hhhblgim.exe 1160 Hhhblgim.exe 2644 Hfookk32.exe 2644 Hfookk32.exe 1572 Hnjdpm32.exe 1572 Hnjdpm32.exe 1904 Hbhmfk32.exe 1904 Hbhmfk32.exe 2352 Hgeenb32.exe 2352 Hgeenb32.exe 1596 Hjcajn32.exe 1596 Hjcajn32.exe 2440 Iclfccmq.exe 2440 Iclfccmq.exe 2148 Iapfmg32.exe 2148 Iapfmg32.exe 2900 Ijhkembk.exe 2900 Ijhkembk.exe 2724 Icbldbgi.exe 2724 Icbldbgi.exe 2804 Ipimic32.exe 2804 Ipimic32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jmkmlk32.exe Jadlgjjq.exe File created C:\Windows\SysWOW64\Njaoeq32.exe Nmnoll32.exe File created C:\Windows\SysWOW64\Agmacgcc.exe Aoamoefh.exe File opened for modification C:\Windows\SysWOW64\Fgibijkb.exe Fhcehngk.exe File opened for modification C:\Windows\SysWOW64\Hggeeo32.exe Gqkqbe32.exe File opened for modification C:\Windows\SysWOW64\Icbldbgi.exe Ijhkembk.exe File created C:\Windows\SysWOW64\Ggmldj32.exe Giikkehc.exe File created C:\Windows\SysWOW64\Hggeeo32.exe Gqkqbe32.exe File created C:\Windows\SysWOW64\Giemhaee.dll Ohqbbi32.exe File created C:\Windows\SysWOW64\Pebbeq32.exe Ppejmj32.exe File opened for modification C:\Windows\SysWOW64\Hnljkf32.exe Hgbanlfc.exe File created C:\Windows\SysWOW64\Eaoaafli.exe Eehqme32.exe File created C:\Windows\SysWOW64\Lafekm32.exe Kocodbpk.exe File created C:\Windows\SysWOW64\Cbihpbpl.exe Ckopch32.exe File created C:\Windows\SysWOW64\Jnbbgfli.dll Elcbmn32.exe File created C:\Windows\SysWOW64\Jljoia32.dll Hhhblgim.exe File created C:\Windows\SysWOW64\Kcindbjd.dll Ghcbga32.exe File created C:\Windows\SysWOW64\Dpmlcpdm.exe Dnlolhoo.exe File opened for modification C:\Windows\SysWOW64\Njjieace.exe Niilmi32.exe File created C:\Windows\SysWOW64\Boainhic.exe Bfieec32.exe File opened for modification C:\Windows\SysWOW64\Elcbmn32.exe Efdmohmm.exe File created C:\Windows\SysWOW64\Bealkk32.dll Faedpdcc.exe File created C:\Windows\SysWOW64\Dpmmdfgc.dll Lgjcdc32.exe File created C:\Windows\SysWOW64\Apgcbmha.exe Aabfqp32.exe File opened for modification C:\Windows\SysWOW64\Bjgmka32.exe Boainhic.exe File created C:\Windows\SysWOW64\Kkngmm32.dll Ccmanjch.exe File created C:\Windows\SysWOW64\Ginefe32.exe Gohqhl32.exe File opened for modification C:\Windows\SysWOW64\Ginefe32.exe Gohqhl32.exe File created C:\Windows\SysWOW64\Ponioeij.dll Epdncb32.exe File created C:\Windows\SysWOW64\Dmmjim32.dll Gknhjn32.exe File created C:\Windows\SysWOW64\Hnjdpm32.exe Hfookk32.exe File created C:\Windows\SysWOW64\Ckdppcdq.dll Nmnoll32.exe File opened for modification C:\Windows\SysWOW64\Dnmhogjo.exe Dippfplg.exe File opened for modification C:\Windows\SysWOW64\Hjkdoh32.exe Hhjhgpcn.exe File created C:\Windows\SysWOW64\Nmnoll32.exe Nfcfob32.exe File opened for modification C:\Windows\SysWOW64\Opcaiggo.exe Oenmkngi.exe File opened for modification C:\Windows\SysWOW64\Hgpeimhf.exe Hdailaib.exe File created C:\Windows\SysWOW64\Pppnpb32.dll Kfenjq32.exe File opened for modification C:\Windows\SysWOW64\Jmmmbg32.exe Ipimic32.exe File created C:\Windows\SysWOW64\Pkgpaq32.dll Jadlgjjq.exe File created C:\Windows\SysWOW64\Oenmkngi.exe Opqdcgib.exe File created C:\Windows\SysWOW64\Nfighccb.dll Pdllci32.exe File created C:\Windows\SysWOW64\Dnlolhoo.exe Dahobdpe.exe File created C:\Windows\SysWOW64\Bhljlnma.exe Bcobdgoj.exe File created C:\Windows\SysWOW64\Mfeiad32.dll Cocbbk32.exe File opened for modification C:\Windows\SysWOW64\Eccdmmpk.exe Dnmhogjo.exe File opened for modification C:\Windows\SysWOW64\Qdlialfb.exe Qkcdigpa.exe File created C:\Windows\SysWOW64\Kcnhokob.dll Flkohc32.exe File opened for modification C:\Windows\SysWOW64\Hancef32.exe Glajmppm.exe File created C:\Windows\SysWOW64\Jmkmlk32.exe Jadlgjjq.exe File created C:\Windows\SysWOW64\Fpmcpglh.dll Lafekm32.exe File created C:\Windows\SysWOW64\Fangfcki.exe Fgibijkb.exe File opened for modification C:\Windows\SysWOW64\Lnaokn32.exe Ldikbhfh.exe File created C:\Windows\SysWOW64\Oaiglnih.exe Ohqbbi32.exe File created C:\Windows\SysWOW64\Bbekbnge.dll Bbdoec32.exe File created C:\Windows\SysWOW64\Elpldp32.exe Eiocbd32.exe File created C:\Windows\SysWOW64\Hfookk32.exe Hhhblgim.exe File created C:\Windows\SysWOW64\Lmaadi32.dll Ijhkembk.exe File created C:\Windows\SysWOW64\Nffpfe32.dll Pebbeq32.exe File created C:\Windows\SysWOW64\Eccdmmpk.exe Dnmhogjo.exe File created C:\Windows\SysWOW64\Epdncb32.exe Eaoaafli.exe File opened for modification C:\Windows\SysWOW64\Ijbjpg32.exe Hnljkf32.exe File created C:\Windows\SysWOW64\Cmjoaofc.exe Cjkcedgp.exe File opened for modification C:\Windows\SysWOW64\Cmjoaofc.exe Cjkcedgp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2556 2608 WerFault.exe 167 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgblphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glajmppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnljkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoamoefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcobdgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebpgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhkhnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhblgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkeedo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmiaknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faedpdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbanlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlolhoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dippfplg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcocnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcajn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkcedgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgibijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galfpgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdailaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiglnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlialfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjoaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhogjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpeimhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnaokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmiknng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdmohmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmcmaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hggeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcdigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfbild.dll" Aefhpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgcbmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldikbhfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjfdpckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbinkahf.dll" Nfcfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifcbl32.dll" Kmmiaknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocodbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhgpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkconepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlolhoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknmke32.dll" Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplmipff.dll" Eehqme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjkdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndcfjlj.dll" Dfbdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkdedfm.dll" Fljhmmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll" Fangfcki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjfdpckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkmcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpjnd32.dll" Gphmbolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmlcpdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jadlgjjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadpaf32.dll" Ppejmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfdkgij.dll" Dnmhogjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkocglhl.dll" Gohqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnhokob.dll" Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmiknng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmjim32.dll" Gknhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calonbcf.dll" Bcobdgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbilgok.dll" Bhljlnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhfacfn.dll" Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll" Oenmkngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimbabic.dll" Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfookk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmcpglh.dll" Lafekm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boainhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdpfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcajn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoamoefh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdkdffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfmeddag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgmka32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2028 2412 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe 29 PID 2412 wrote to memory of 2028 2412 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe 29 PID 2412 wrote to memory of 2028 2412 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe 29 PID 2412 wrote to memory of 2028 2412 9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe 29 PID 2028 wrote to memory of 2172 2028 Clkfjman.exe 30 PID 2028 wrote to memory of 2172 2028 Clkfjman.exe 30 PID 2028 wrote to memory of 2172 2028 Clkfjman.exe 30 PID 2028 wrote to memory of 2172 2028 Clkfjman.exe 30 PID 2172 wrote to memory of 2912 2172 Dahobdpe.exe 31 PID 2172 wrote to memory of 2912 2172 Dahobdpe.exe 31 PID 2172 wrote to memory of 2912 2172 Dahobdpe.exe 31 PID 2172 wrote to memory of 2912 2172 Dahobdpe.exe 31 PID 2912 wrote to memory of 2888 2912 Dnlolhoo.exe 32 PID 2912 wrote to memory of 2888 2912 Dnlolhoo.exe 32 PID 2912 wrote to memory of 2888 2912 Dnlolhoo.exe 32 PID 2912 wrote to memory of 2888 2912 Dnlolhoo.exe 32 PID 2888 wrote to memory of 2936 2888 Dpmlcpdm.exe 33 PID 2888 wrote to memory of 2936 2888 Dpmlcpdm.exe 33 PID 2888 wrote to memory of 2936 2888 Dpmlcpdm.exe 33 PID 2888 wrote to memory of 2936 2888 Dpmlcpdm.exe 33 PID 2936 wrote to memory of 2036 2936 Dbqajk32.exe 34 PID 2936 wrote to memory of 2036 2936 Dbqajk32.exe 34 PID 2936 wrote to memory of 2036 2936 Dbqajk32.exe 34 PID 2936 wrote to memory of 2036 2936 Dbqajk32.exe 34 PID 2036 wrote to memory of 1636 2036 Dogbolep.exe 35 PID 2036 wrote to memory of 1636 2036 Dogbolep.exe 35 PID 2036 wrote to memory of 1636 2036 Dogbolep.exe 35 PID 2036 wrote to memory of 1636 2036 Dogbolep.exe 35 PID 1636 wrote to memory of 2668 1636 Eiocbd32.exe 36 PID 1636 wrote to memory of 2668 1636 Eiocbd32.exe 36 PID 1636 wrote to memory of 2668 1636 Eiocbd32.exe 36 PID 1636 wrote to memory of 2668 1636 Eiocbd32.exe 36 PID 2668 wrote to memory of 3000 2668 Elpldp32.exe 37 PID 2668 wrote to memory of 3000 2668 Elpldp32.exe 37 PID 2668 wrote to memory of 3000 2668 Elpldp32.exe 37 PID 2668 wrote to memory of 3000 2668 Elpldp32.exe 37 PID 3000 wrote to memory of 552 3000 Eehqme32.exe 38 PID 3000 wrote to memory of 552 3000 Eehqme32.exe 38 PID 3000 wrote to memory of 552 3000 Eehqme32.exe 38 PID 3000 wrote to memory of 552 3000 Eehqme32.exe 38 PID 552 wrote to memory of 816 552 Eaoaafli.exe 39 PID 552 wrote to memory of 816 552 Eaoaafli.exe 39 PID 552 wrote to memory of 816 552 Eaoaafli.exe 39 PID 552 wrote to memory of 816 552 Eaoaafli.exe 39 PID 816 wrote to memory of 3028 816 Epdncb32.exe 40 PID 816 wrote to memory of 3028 816 Epdncb32.exe 40 PID 816 wrote to memory of 3028 816 Epdncb32.exe 40 PID 816 wrote to memory of 3028 816 Epdncb32.exe 40 PID 3028 wrote to memory of 1252 3028 Flkohc32.exe 41 PID 3028 wrote to memory of 1252 3028 Flkohc32.exe 41 PID 3028 wrote to memory of 1252 3028 Flkohc32.exe 41 PID 3028 wrote to memory of 1252 3028 Flkohc32.exe 41 PID 1252 wrote to memory of 2536 1252 Fiopah32.exe 42 PID 1252 wrote to memory of 2536 1252 Fiopah32.exe 42 PID 1252 wrote to memory of 2536 1252 Fiopah32.exe 42 PID 1252 wrote to memory of 2536 1252 Fiopah32.exe 42 PID 2536 wrote to memory of 2872 2536 Fgcpkldh.exe 43 PID 2536 wrote to memory of 2872 2536 Fgcpkldh.exe 43 PID 2536 wrote to memory of 2872 2536 Fgcpkldh.exe 43 PID 2536 wrote to memory of 2872 2536 Fgcpkldh.exe 43 PID 2872 wrote to memory of 2492 2872 Fkeedo32.exe 44 PID 2872 wrote to memory of 2492 2872 Fkeedo32.exe 44 PID 2872 wrote to memory of 2492 2872 Fkeedo32.exe 44 PID 2872 wrote to memory of 2492 2872 Fkeedo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe"C:\Users\Admin\AppData\Local\Temp\9d49917941e5af4e856d0e0cc0e6171ae202a4125e54415be58412c37bce573dN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Gnjhaj32.exeC:\Windows\system32\Gnjhaj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Kfenjq32.exeC:\Windows\system32\Kfenjq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Mbhnpplb.exeC:\Windows\system32\Mbhnpplb.exe46⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mlnbmikh.exeC:\Windows\system32\Mlnbmikh.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mbkkepio.exeC:\Windows\system32\Mbkkepio.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Mdkcgk32.exeC:\Windows\system32\Mdkcgk32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Niilmi32.exeC:\Windows\system32\Niilmi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe60⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe65⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:472 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe69⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Pdllci32.exeC:\Windows\system32\Pdllci32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe72⤵PID:2896
-
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe73⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe76⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe77⤵PID:2120
-
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe78⤵PID:1492
-
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe80⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe84⤵
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe85⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe93⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe95⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe99⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe105⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe108⤵
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe110⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe112⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe113⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe114⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-