Analysis
-
max time kernel
47s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 23:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe
-
Size
77KB
-
MD5
bff36cf92f0aff642423a37848fd476f
-
SHA1
9260d5bd712e0678b4dd4d03cbf28873604bad37
-
SHA256
83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9
-
SHA512
8165af8d9d3c4e43a7d5fbb037c46b257fdcd37bdb3a2a1995826e8cedbb20411efa303f81c083d7709ca327b800bcf8fca13e2408618521a70861babf4e7842
-
SSDEEP
1536:9wwHjzmp9SD9a+91dErYp8G62Lt0wfi+TjRC/D:9hH6frYp6wf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clqjblij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibjec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddppp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjlaqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohiefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkkgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giiibqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kchhholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdihlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjbcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpbinoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejfelin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaoadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhgjahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omaepoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohiefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doclijgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehpoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpjmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbedqcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogdiqki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klnpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccikghel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebllocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlgaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnipilbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbqol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmappn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcaankpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giiibqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaklei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foencfda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjpijjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbomdjoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiohob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fliefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfobndnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcbmend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpdeghgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdkgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acncngpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojmogak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnkqcem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgelbhmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpckbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnahoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeecibci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfaachpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janijh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjofgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhfbd32.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Omaepoml.exe 2308 Odknmi32.exe 2724 Ohifch32.exe 2672 Oijbkpqm.exe 2988 Ogncddpg.exe 2680 Opghmjfg.exe 108 Plnhbk32.exe 952 Pgcmoc32.exe 2428 Phdiglap.exe 556 Pcjmdd32.exe 2888 Pkebig32.exe 2924 Pdnfalea.exe 3008 Pockoeeg.exe 1368 Pgnpcg32.exe 3068 Qhnlmjie.exe 2412 Qnkdeagl.exe 2380 Qddmbkoi.exe 2372 Qkoeoe32.exe 564 Qmpafnld.exe 2064 Acjjch32.exe 760 Anonqq32.exe 2020 Afjbecqb.exe 1460 Acncngpl.exe 2492 Abacjd32.exe 1808 Akjhcimg.exe 2288 Akldhi32.exe 2240 Aediaoae.exe 2788 Bojmogak.exe 2832 Begegn32.exe 2600 Bibagmhk.exe 2764 Bamfloef.exe 2640 Bclbhkdj.exe 2172 Bekobn32.exe 2664 Babpgo32.exe 2908 Bcqlcj32.exe 2880 Bfohoe32.exe 2920 Bimdka32.exe 3016 Cmkmao32.exe 1236 Cibnfpjg.exe 1300 Cmnjgo32.exe 2212 Clqjblij.exe 2352 Clcghk32.exe 3004 Cekkaanh.exe 392 Ciggap32.exe 2360 Ckhdihlp.exe 1776 Cocpjf32.exe 3044 Cablfb32.exe 2336 Cdphbm32.exe 2324 Chldbl32.exe 1552 Ckjqog32.exe 768 Dmimkc32.exe 2720 Dadikaaj.exe 2852 Ddbegmqm.exe 2732 Dfaachpa.exe 2564 Dohiefpc.exe 1476 Dafeaapg.exe 2180 Dpifln32.exe 2440 Dhqnnk32.exe 2856 Dibjec32.exe 2276 Dmmffbek.exe 2340 Dplbbndo.exe 2456 Dbjonicb.exe 2416 Dgfkoh32.exe 3012 Dmpckbci.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe 2260 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe 3040 Omaepoml.exe 3040 Omaepoml.exe 2308 Odknmi32.exe 2308 Odknmi32.exe 2724 Ohifch32.exe 2724 Ohifch32.exe 2672 Oijbkpqm.exe 2672 Oijbkpqm.exe 2988 Ogncddpg.exe 2988 Ogncddpg.exe 2680 Opghmjfg.exe 2680 Opghmjfg.exe 108 Plnhbk32.exe 108 Plnhbk32.exe 952 Pgcmoc32.exe 952 Pgcmoc32.exe 2428 Phdiglap.exe 2428 Phdiglap.exe 556 Pcjmdd32.exe 556 Pcjmdd32.exe 2888 Pkebig32.exe 2888 Pkebig32.exe 2924 Pdnfalea.exe 2924 Pdnfalea.exe 3008 Pockoeeg.exe 3008 Pockoeeg.exe 1368 Pgnpcg32.exe 1368 Pgnpcg32.exe 3068 Qhnlmjie.exe 3068 Qhnlmjie.exe 2412 Qnkdeagl.exe 2412 Qnkdeagl.exe 2380 Qddmbkoi.exe 2380 Qddmbkoi.exe 2372 Qkoeoe32.exe 2372 Qkoeoe32.exe 564 Qmpafnld.exe 564 Qmpafnld.exe 2064 Acjjch32.exe 2064 Acjjch32.exe 760 Anonqq32.exe 760 Anonqq32.exe 2020 Afjbecqb.exe 2020 Afjbecqb.exe 1460 Acncngpl.exe 1460 Acncngpl.exe 2492 Abacjd32.exe 2492 Abacjd32.exe 1584 Aebllocg.exe 1584 Aebllocg.exe 2288 Akldhi32.exe 2288 Akldhi32.exe 2240 Aediaoae.exe 2240 Aediaoae.exe 2788 Bojmogak.exe 2788 Bojmogak.exe 2832 Begegn32.exe 2832 Begegn32.exe 2600 Bibagmhk.exe 2600 Bibagmhk.exe 2764 Bamfloef.exe 2764 Bamfloef.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oiikjkdg.dll Hhaogp32.exe File opened for modification C:\Windows\SysWOW64\Mqqolfik.exe Mnbbpkjg.exe File created C:\Windows\SysWOW64\Cmkmao32.exe Bimdka32.exe File opened for modification C:\Windows\SysWOW64\Haggkf32.exe Hilbfc32.exe File opened for modification C:\Windows\SysWOW64\Gninpg32.exe Gkjbcl32.exe File created C:\Windows\SysWOW64\Kpoegc32.exe Klcjfdqi.exe File created C:\Windows\SysWOW64\Cmappn32.exe Cjbccb32.exe File created C:\Windows\SysWOW64\Odknmi32.exe Omaepoml.exe File created C:\Windows\SysWOW64\Eoeiniea.exe Epchbm32.exe File created C:\Windows\SysWOW64\Odeiddnh.dll Hbmpoj32.exe File opened for modification C:\Windows\SysWOW64\Fobamgfd.exe Fldeakgp.exe File opened for modification C:\Windows\SysWOW64\Amjmpk32.exe Akiahcik.exe File created C:\Windows\SysWOW64\Eddgaj32.exe Elmoqlmh.exe File created C:\Windows\SysWOW64\Pijhompm.exe Pdmpgfae.exe File opened for modification C:\Windows\SysWOW64\Aopcnbfj.exe Akdgmd32.exe File opened for modification C:\Windows\SysWOW64\Fliefa32.exe Fnfekdpl.exe File created C:\Windows\SysWOW64\Efahad32.dll Giiibqdp.exe File created C:\Windows\SysWOW64\Hmbdlc32.exe Hjdhpg32.exe File created C:\Windows\SysWOW64\Lodbhp32.exe Kfknpj32.exe File created C:\Windows\SysWOW64\Pfgkdg32.dll Omqnfiip.exe File created C:\Windows\SysWOW64\Ckjqog32.exe Chldbl32.exe File created C:\Windows\SysWOW64\Fcaankpf.exe Flgiaa32.exe File created C:\Windows\SysWOW64\Bamnjpji.dll Jodfilko.exe File created C:\Windows\SysWOW64\Bgmngpci.dll Cmappn32.exe File opened for modification C:\Windows\SysWOW64\Gmdapoil.exe Gnaadb32.exe File opened for modification C:\Windows\SysWOW64\Dmbpaa32.exe Dekgpdqc.exe File opened for modification C:\Windows\SysWOW64\Hbomdjoo.exe Hpaaho32.exe File created C:\Windows\SysWOW64\Qaibiqdo.dll Hidledja.exe File created C:\Windows\SysWOW64\Memghn32.dll Gceghn32.exe File created C:\Windows\SysWOW64\Eehkba32.dll Elmoqlmh.exe File created C:\Windows\SysWOW64\Acjjch32.exe Qmpafnld.exe File created C:\Windows\SysWOW64\Oapemdml.dll Famhqclj.exe File created C:\Windows\SysWOW64\Nmlekj32.exe Nhombc32.exe File created C:\Windows\SysWOW64\Opmnle32.exe Oicfpkci.exe File created C:\Windows\SysWOW64\Ehkadjdg.dll Qljaah32.exe File created C:\Windows\SysWOW64\Olhdcnjn.dll Eobenc32.exe File created C:\Windows\SysWOW64\Gbecce32.exe Gkkkgkla.exe File created C:\Windows\SysWOW64\Hfakec32.dll Pgnpcg32.exe File created C:\Windows\SysWOW64\Jpidah32.dll Ciggap32.exe File created C:\Windows\SysWOW64\Dgmnqggl.dll Edgkap32.exe File created C:\Windows\SysWOW64\Lnipilbb.exe Lhlgaedj.exe File created C:\Windows\SysWOW64\Oceoec32.dll Oijlpjma.exe File created C:\Windows\SysWOW64\Adhbkj32.exe Qcgfcbbh.exe File created C:\Windows\SysWOW64\Aelpph32.dll Adaeai32.exe File created C:\Windows\SysWOW64\Diaimceg.dll Qddmbkoi.exe File opened for modification C:\Windows\SysWOW64\Fnfekdpl.exe Ffomjgoj.exe File created C:\Windows\SysWOW64\Ammjekmg.exe Ajnnipnc.exe File created C:\Windows\SysWOW64\Bmogkkkd.exe Bfeonq32.exe File opened for modification C:\Windows\SysWOW64\Faegda32.exe Fklohgie.exe File created C:\Windows\SysWOW64\Abcpho32.dll Ppmjkhma.exe File created C:\Windows\SysWOW64\Ppacfg32.exe Pigkjmap.exe File created C:\Windows\SysWOW64\Fjkmfp32.dll Lbghpjih.exe File created C:\Windows\SysWOW64\Dolondiq.exe Dhagaj32.exe File opened for modification C:\Windows\SysWOW64\Foencfda.exe Fhkffl32.exe File opened for modification C:\Windows\SysWOW64\Gcnjmi32.exe Gmdapoil.exe File opened for modification C:\Windows\SysWOW64\Cablfb32.exe Cocpjf32.exe File created C:\Windows\SysWOW64\Dmimkc32.exe Ckjqog32.exe File created C:\Windows\SysWOW64\Dfaachpa.exe Ddbegmqm.exe File created C:\Windows\SysWOW64\Hgebjfnh.dll Mbiadm32.exe File created C:\Windows\SysWOW64\Glaejokn.exe Fjchnclk.exe File opened for modification C:\Windows\SysWOW64\Ohifch32.exe Odknmi32.exe File created C:\Windows\SysWOW64\Pbqaha32.dll Cjbccb32.exe File opened for modification C:\Windows\SysWOW64\Mcokhaho.exe Mqqolfik.exe File created C:\Windows\SysWOW64\Fedqdl32.dll Pagmjlhj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4468 4416 WerFault.exe 426 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoeiniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmdmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloigc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojmogak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjhippb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadikaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpbinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfmgdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holqbipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbghpjih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijbkpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gninpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmddmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acncngpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimdka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqqolfik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammjekmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhacfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doibhekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffomjgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdihlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolondiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehejc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpflblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikinjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqjbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abacjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmjkhma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqjcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhombc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfekdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccncknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffdgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miciqgqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekofijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhbop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkfqbgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkhfkco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfaachpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nannejni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnkomel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faegda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacnpoqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehpoaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndadld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddmbkoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoimmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfkoh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmnkn32.dll" Mjkpjkni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdgmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edpnfjap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acjjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmpckbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dekgpdqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpjmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcokhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annhoa32.dll" Gddppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haggkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkjmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpgnbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhpidak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbbcn32.dll" Ekofijic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadbgo32.dll" Pmlajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnncm32.dll" Ccmdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflfidpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkegdfnd.dll" Aopcnbfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfeonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eklbid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdnfalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cablfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epchbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigkjmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmdgdnq.dll" Gggihhkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpacaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbnejok.dll" Fobamgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phdiglap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlieh32.dll" Ibfcei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikinjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joomnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojbii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eljihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnogne32.dll" Haggkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijlpjma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaeqeljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pagmjlhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjbecqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhohclgg.dll" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehechn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcipmq32.dll" Lhlgaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfnep32.dll" Nnpbinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcpho32.dll" Ppmjkhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgejjgag.dll" Deckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifejlfm.dll" Jokccnci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhombc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmkmao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljekog32.dll" Ejfpofkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhodgebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mghjcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnghjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbigfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjonicb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edenlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaeokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbnkf32.dll" Emmljodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfmnle.dll" Pofqhdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdndmmmb.dll" Gbbnkfjq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3040 2260 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe 29 PID 2260 wrote to memory of 3040 2260 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe 29 PID 2260 wrote to memory of 3040 2260 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe 29 PID 2260 wrote to memory of 3040 2260 83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe 29 PID 3040 wrote to memory of 2308 3040 Omaepoml.exe 30 PID 3040 wrote to memory of 2308 3040 Omaepoml.exe 30 PID 3040 wrote to memory of 2308 3040 Omaepoml.exe 30 PID 3040 wrote to memory of 2308 3040 Omaepoml.exe 30 PID 2308 wrote to memory of 2724 2308 Odknmi32.exe 31 PID 2308 wrote to memory of 2724 2308 Odknmi32.exe 31 PID 2308 wrote to memory of 2724 2308 Odknmi32.exe 31 PID 2308 wrote to memory of 2724 2308 Odknmi32.exe 31 PID 2724 wrote to memory of 2672 2724 Ohifch32.exe 32 PID 2724 wrote to memory of 2672 2724 Ohifch32.exe 32 PID 2724 wrote to memory of 2672 2724 Ohifch32.exe 32 PID 2724 wrote to memory of 2672 2724 Ohifch32.exe 32 PID 2672 wrote to memory of 2988 2672 Oijbkpqm.exe 33 PID 2672 wrote to memory of 2988 2672 Oijbkpqm.exe 33 PID 2672 wrote to memory of 2988 2672 Oijbkpqm.exe 33 PID 2672 wrote to memory of 2988 2672 Oijbkpqm.exe 33 PID 2988 wrote to memory of 2680 2988 Ogncddpg.exe 34 PID 2988 wrote to memory of 2680 2988 Ogncddpg.exe 34 PID 2988 wrote to memory of 2680 2988 Ogncddpg.exe 34 PID 2988 wrote to memory of 2680 2988 Ogncddpg.exe 34 PID 2680 wrote to memory of 108 2680 Opghmjfg.exe 35 PID 2680 wrote to memory of 108 2680 Opghmjfg.exe 35 PID 2680 wrote to memory of 108 2680 Opghmjfg.exe 35 PID 2680 wrote to memory of 108 2680 Opghmjfg.exe 35 PID 108 wrote to memory of 952 108 Plnhbk32.exe 36 PID 108 wrote to memory of 952 108 Plnhbk32.exe 36 PID 108 wrote to memory of 952 108 Plnhbk32.exe 36 PID 108 wrote to memory of 952 108 Plnhbk32.exe 36 PID 952 wrote to memory of 2428 952 Pgcmoc32.exe 37 PID 952 wrote to memory of 2428 952 Pgcmoc32.exe 37 PID 952 wrote to memory of 2428 952 Pgcmoc32.exe 37 PID 952 wrote to memory of 2428 952 Pgcmoc32.exe 37 PID 2428 wrote to memory of 556 2428 Phdiglap.exe 38 PID 2428 wrote to memory of 556 2428 Phdiglap.exe 38 PID 2428 wrote to memory of 556 2428 Phdiglap.exe 38 PID 2428 wrote to memory of 556 2428 Phdiglap.exe 38 PID 556 wrote to memory of 2888 556 Pcjmdd32.exe 39 PID 556 wrote to memory of 2888 556 Pcjmdd32.exe 39 PID 556 wrote to memory of 2888 556 Pcjmdd32.exe 39 PID 556 wrote to memory of 2888 556 Pcjmdd32.exe 39 PID 2888 wrote to memory of 2924 2888 Pkebig32.exe 40 PID 2888 wrote to memory of 2924 2888 Pkebig32.exe 40 PID 2888 wrote to memory of 2924 2888 Pkebig32.exe 40 PID 2888 wrote to memory of 2924 2888 Pkebig32.exe 40 PID 2924 wrote to memory of 3008 2924 Pdnfalea.exe 41 PID 2924 wrote to memory of 3008 2924 Pdnfalea.exe 41 PID 2924 wrote to memory of 3008 2924 Pdnfalea.exe 41 PID 2924 wrote to memory of 3008 2924 Pdnfalea.exe 41 PID 3008 wrote to memory of 1368 3008 Pockoeeg.exe 42 PID 3008 wrote to memory of 1368 3008 Pockoeeg.exe 42 PID 3008 wrote to memory of 1368 3008 Pockoeeg.exe 42 PID 3008 wrote to memory of 1368 3008 Pockoeeg.exe 42 PID 1368 wrote to memory of 3068 1368 Pgnpcg32.exe 43 PID 1368 wrote to memory of 3068 1368 Pgnpcg32.exe 43 PID 1368 wrote to memory of 3068 1368 Pgnpcg32.exe 43 PID 1368 wrote to memory of 3068 1368 Pgnpcg32.exe 43 PID 3068 wrote to memory of 2412 3068 Qhnlmjie.exe 44 PID 3068 wrote to memory of 2412 3068 Qhnlmjie.exe 44 PID 3068 wrote to memory of 2412 3068 Qhnlmjie.exe 44 PID 3068 wrote to memory of 2412 3068 Qhnlmjie.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe"C:\Users\Admin\AppData\Local\Temp\83ba2710549dc89121341fafd84d79b98b9858f782d115b6a759d10215a50ca9.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ogncddpg.exeC:\Windows\system32\Ogncddpg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Pdnfalea.exeC:\Windows\system32\Pdnfalea.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe26⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Bclbhkdj.exeC:\Windows\system32\Bclbhkdj.exe34⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Babpgo32.exeC:\Windows\system32\Babpgo32.exe36⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe38⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Bimdka32.exeC:\Windows\system32\Bimdka32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Cmkmao32.exeC:\Windows\system32\Cmkmao32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe41⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Clqjblij.exeC:\Windows\system32\Clqjblij.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe44⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe45⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe50⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Dmimkc32.exeC:\Windows\system32\Dmimkc32.exe53⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Dohiefpc.exeC:\Windows\system32\Dohiefpc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe58⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Dpifln32.exeC:\Windows\system32\Dpifln32.exe59⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe60⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Dibjec32.exeC:\Windows\system32\Dibjec32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dmmffbek.exeC:\Windows\system32\Dmmffbek.exe62⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Dplbbndo.exeC:\Windows\system32\Dplbbndo.exe63⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Dbjonicb.exeC:\Windows\system32\Dbjonicb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe67⤵PID:1784
-
C:\Windows\SysWOW64\Dcmkciap.exeC:\Windows\system32\Dcmkciap.exe68⤵PID:1304
-
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe70⤵PID:2812
-
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Ehlqao32.exeC:\Windows\system32\Ehlqao32.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Epchbm32.exeC:\Windows\system32\Epchbm32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe75⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Eepakc32.exeC:\Windows\system32\Eepakc32.exe76⤵PID:2512
-
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe77⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Eohedi32.exeC:\Windows\system32\Eohedi32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Edenlp32.exeC:\Windows\system32\Edenlp32.exe79⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ekofijic.exeC:\Windows\system32\Ekofijic.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Eojbii32.exeC:\Windows\system32\Eojbii32.exe82⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Eedjfchi.exeC:\Windows\system32\Eedjfchi.exe83⤵PID:920
-
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe84⤵
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Eomoohoi.exeC:\Windows\system32\Eomoohoi.exe85⤵PID:1576
-
C:\Windows\SysWOW64\Enpoje32.exeC:\Windows\system32\Enpoje32.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Ediggoma.exeC:\Windows\system32\Ediggoma.exe87⤵PID:2716
-
C:\Windows\SysWOW64\Ehechn32.exeC:\Windows\system32\Ehechn32.exe88⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ejfpofkh.exeC:\Windows\system32\Ejfpofkh.exe89⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Famhqclj.exeC:\Windows\system32\Famhqclj.exe90⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Fcodhl32.exeC:\Windows\system32\Fcodhl32.exe91⤵PID:2940
-
C:\Windows\SysWOW64\Fgjpijjb.exeC:\Windows\system32\Fgjpijjb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Fndhed32.exeC:\Windows\system32\Fndhed32.exe93⤵PID:2892
-
C:\Windows\SysWOW64\Flgiaa32.exeC:\Windows\system32\Flgiaa32.exe94⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Fcaankpf.exeC:\Windows\system32\Fcaankpf.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Ffomjgoj.exeC:\Windows\system32\Ffomjgoj.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Fnfekdpl.exeC:\Windows\system32\Fnfekdpl.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Fliefa32.exeC:\Windows\system32\Fliefa32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Fccncknc.exeC:\Windows\system32\Fccncknc.exe99⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Fgojdj32.exeC:\Windows\system32\Fgojdj32.exe100⤵PID:872
-
C:\Windows\SysWOW64\Fjmfpe32.exeC:\Windows\system32\Fjmfpe32.exe101⤵PID:1320
-
C:\Windows\SysWOW64\Fhpflblk.exeC:\Windows\system32\Fhpflblk.exe102⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Fqgnmo32.exeC:\Windows\system32\Fqgnmo32.exe103⤵PID:2728
-
C:\Windows\SysWOW64\Fcfjik32.exeC:\Windows\system32\Fcfjik32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Ffdgef32.exeC:\Windows\system32\Ffdgef32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Fkaomm32.exeC:\Windows\system32\Fkaomm32.exe107⤵PID:1648
-
C:\Windows\SysWOW64\Folknlae.exeC:\Windows\system32\Folknlae.exe108⤵PID:984
-
C:\Windows\SysWOW64\Fffckf32.exeC:\Windows\system32\Fffckf32.exe109⤵PID:2128
-
C:\Windows\SysWOW64\Fiepga32.exeC:\Windows\system32\Fiepga32.exe110⤵PID:2524
-
C:\Windows\SysWOW64\Gkclcm32.exeC:\Windows\system32\Gkclcm32.exe111⤵PID:1048
-
C:\Windows\SysWOW64\Gnahoh32.exeC:\Windows\system32\Gnahoh32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Gdlplb32.exeC:\Windows\system32\Gdlplb32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Ggjmhn32.exeC:\Windows\system32\Ggjmhn32.exe114⤵PID:940
-
C:\Windows\SysWOW64\Goadik32.exeC:\Windows\system32\Goadik32.exe115⤵PID:2576
-
C:\Windows\SysWOW64\Gqbaqccn.exeC:\Windows\system32\Gqbaqccn.exe116⤵PID:3032
-
C:\Windows\SysWOW64\Giiibqdp.exeC:\Windows\system32\Giiibqdp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Gkhenlcd.exeC:\Windows\system32\Gkhenlcd.exe118⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Gbbnkfjq.exeC:\Windows\system32\Gbbnkfjq.exe119⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Gepjgaid.exeC:\Windows\system32\Gepjgaid.exe120⤵PID:2084
-
C:\Windows\SysWOW64\Gkjbcl32.exeC:\Windows\system32\Gkjbcl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-