Analysis
-
max time kernel
116s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 14:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6f00b3fd1f3362533264958b9744130N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6f00b3fd1f3362533264958b9744130N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d6f00b3fd1f3362533264958b9744130N.exe
-
Size
136KB
-
MD5
d6f00b3fd1f3362533264958b9744130
-
SHA1
6f3d7788de4fd36849d77ab032fdf0194f971d3c
-
SHA256
0be5931de1eae9cfe3d325314443a23e6deffa2006624aa57c2ed4e6b8437c7a
-
SHA512
90ef02416011e3cbb36476619e7c3598a51639e1524037c37d5edec90ce93b20d6ce1601a6c95d0e18663412227f4bccd519620d292fa23c90dd36ec7fd6cd8d
-
SSDEEP
1536:M2GTGMKt2y69UUg5g88HDpL9R3HnYlp9H3A3Ujz0cZ44mjD9r823FQ75/DtXh:vzRN69UTiB7HnYlf3A1i/mjRrz3OT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcohih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbhpidak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhnlmjie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henipenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jibdff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbacdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gknhlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgihkmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekofijic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieepad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjeacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hekfpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmpafnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjgfol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njklioqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppmjkhma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkhfkco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faanibeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamnpahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnklol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpodhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joomnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opmnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiahfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daibfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlblq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjbljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblocaik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnncb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cplfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Camlpldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfpofkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiahcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaaklmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjpijjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiebej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ambnlmja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaigab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ianmke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nannejni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfbhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fahdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobndnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafppp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflfidpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdphbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplgmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Belhem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjbecqb.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Ohifch32.exe 2320 Omfoko32.exe 2708 Omfoko32.exe 2836 Oaaklmao.exe 2728 Olklmk32.exe 2704 Oecpeqdo.exe 2584 Plnhbk32.exe 1632 Poldnf32.exe 1744 Pcgqoech.exe 888 Plpehj32.exe 2628 Pamnpahp.exe 2636 Plbbmjhf.exe 904 Paojeafn.exe 1856 Phibbk32.exe 2232 Pdpcgl32.exe 2088 Pkjkdfjk.exe 2108 Pqfdlmic.exe 2084 Qhnlmjie.exe 1996 Qjoheb32.exe 2132 Qnkdeagl.exe 2524 Qddmbkoi.exe 832 Qkoeoe32.exe 1376 Qmpafnld.exe 2012 Adgihkmf.exe 316 Afhfpc32.exe 1552 Ambnlmja.exe 1056 Afjbecqb.exe 2660 Aiioanpf.exe 2572 Acncngpl.exe 2772 Ajhkka32.exe 2764 Aoedch32.exe 2632 Abcppcdc.exe 440 Amidmldj.exe 2428 Aogqihcm.exe 556 Aediaoae.exe 1648 Bgbemjqh.exe 2952 Bbhikcpn.exe 2984 Bibagmhk.exe 1232 Bnojpdfb.exe 2128 Bamfloef.exe 2416 Bggohi32.exe 1624 Bnagecdp.exe 3004 Bapcaocc.exe 1244 Bfmlif32.exe 1700 Bjhgjdjd.exe 2152 Bglhcihn.exe 524 Bjjdpdga.exe 2224 Badlln32.exe 708 Bpgmhkfi.exe 2824 Cfaedeme.exe 2780 Cjmaed32.exe 2656 Clnmmlkm.exe 2752 Cbhejf32.exe 2640 Cefbfa32.exe 2268 Cmnjgo32.exe 2180 Cplfcj32.exe 2928 Coofoghn.exe 2896 Ceioka32.exe 2916 Chgkgmoo.exe 1604 Clcghk32.exe 2548 Coacdg32.exe 1704 Capopb32.exe 3012 Chigmlml.exe 2444 Ckhdihlp.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 d6f00b3fd1f3362533264958b9744130N.exe 2256 d6f00b3fd1f3362533264958b9744130N.exe 2756 Ohifch32.exe 2756 Ohifch32.exe 2320 Omfoko32.exe 2320 Omfoko32.exe 2708 Omfoko32.exe 2708 Omfoko32.exe 2836 Oaaklmao.exe 2836 Oaaklmao.exe 2728 Olklmk32.exe 2728 Olklmk32.exe 2704 Oecpeqdo.exe 2704 Oecpeqdo.exe 2584 Plnhbk32.exe 2584 Plnhbk32.exe 1632 Poldnf32.exe 1632 Poldnf32.exe 1744 Pcgqoech.exe 1744 Pcgqoech.exe 888 Plpehj32.exe 888 Plpehj32.exe 2628 Pamnpahp.exe 2628 Pamnpahp.exe 2636 Plbbmjhf.exe 2636 Plbbmjhf.exe 904 Paojeafn.exe 904 Paojeafn.exe 1856 Phibbk32.exe 1856 Phibbk32.exe 2232 Pdpcgl32.exe 2232 Pdpcgl32.exe 2088 Pkjkdfjk.exe 2088 Pkjkdfjk.exe 2108 Pqfdlmic.exe 2108 Pqfdlmic.exe 2084 Qhnlmjie.exe 2084 Qhnlmjie.exe 1996 Qjoheb32.exe 1996 Qjoheb32.exe 2132 Qnkdeagl.exe 2132 Qnkdeagl.exe 2524 Qddmbkoi.exe 2524 Qddmbkoi.exe 832 Qkoeoe32.exe 832 Qkoeoe32.exe 1376 Qmpafnld.exe 1376 Qmpafnld.exe 2012 Adgihkmf.exe 2012 Adgihkmf.exe 316 Afhfpc32.exe 316 Afhfpc32.exe 1552 Ambnlmja.exe 1552 Ambnlmja.exe 1056 Afjbecqb.exe 1056 Afjbecqb.exe 2660 Aiioanpf.exe 2660 Aiioanpf.exe 2572 Acncngpl.exe 2572 Acncngpl.exe 2772 Ajhkka32.exe 2772 Ajhkka32.exe 2764 Aoedch32.exe 2764 Aoedch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njnion32.exe Nhombc32.exe File created C:\Windows\SysWOW64\Ndfmgdeb.exe Nagakhfn.exe File created C:\Windows\SysWOW64\Kegflkfk.dll Gbpaef32.exe File opened for modification C:\Windows\SysWOW64\Bcfbbe32.exe Bokfaflj.exe File opened for modification C:\Windows\SysWOW64\Aediaoae.exe Aogqihcm.exe File opened for modification C:\Windows\SysWOW64\Janijh32.exe Joomnm32.exe File opened for modification C:\Windows\SysWOW64\Ljbmdmfc.exe Lhaqld32.exe File created C:\Windows\SysWOW64\Dgephkni.dll Aogqihcm.exe File created C:\Windows\SysWOW64\Kcliqaid.dll Feofpqkn.exe File created C:\Windows\SysWOW64\Bmacqj32.exe Biegpl32.exe File opened for modification C:\Windows\SysWOW64\Pdpcgl32.exe Phibbk32.exe File created C:\Windows\SysWOW64\Lhcbfdbh.dll Bnojpdfb.exe File created C:\Windows\SysWOW64\Fojnhlch.exe Fmlblq32.exe File created C:\Windows\SysWOW64\Ipefba32.exe Imgjfe32.exe File opened for modification C:\Windows\SysWOW64\Bfjhippb.exe Bcklmdqn.exe File opened for modification C:\Windows\SysWOW64\Dhfpljnn.exe Dehdpnok.exe File opened for modification C:\Windows\SysWOW64\Afhfpc32.exe Adgihkmf.exe File opened for modification C:\Windows\SysWOW64\Nagakhfn.exe Niqijkel.exe File opened for modification C:\Windows\SysWOW64\Hcpbalaa.exe Hembfo32.exe File opened for modification C:\Windows\SysWOW64\Dcohih32.exe Dpqlmm32.exe File created C:\Windows\SysWOW64\Nlflmj32.dll Kkkgnmqb.exe File created C:\Windows\SysWOW64\Hjeacf32.exe Hkbagjfi.exe File created C:\Windows\SysWOW64\Qjoheb32.exe Qhnlmjie.exe File created C:\Windows\SysWOW64\Eemded32.exe Dcohih32.exe File created C:\Windows\SysWOW64\Lnnidk32.exe Ljbmdmfc.exe File created C:\Windows\SysWOW64\Jfbehp32.dll Bfmlif32.exe File created C:\Windows\SysWOW64\Feofpqkn.exe Fnhnnc32.exe File created C:\Windows\SysWOW64\Doblhg32.dll Fgbpmh32.exe File created C:\Windows\SysWOW64\Djgddmhp.dll Hmfjda32.exe File opened for modification C:\Windows\SysWOW64\Nhombc32.exe Naedfi32.exe File created C:\Windows\SysWOW64\Dlapid32.dll Dkbpbe32.exe File created C:\Windows\SysWOW64\Eehpoaaf.exe Egepce32.exe File opened for modification C:\Windows\SysWOW64\Eained32.exe Ekofijic.exe File created C:\Windows\SysWOW64\Kaeokg32.exe Knicjipf.exe File created C:\Windows\SysWOW64\Milcphgf.exe Mfngdmgb.exe File created C:\Windows\SysWOW64\Holqbipe.exe Hgdhakpb.exe File created C:\Windows\SysWOW64\Fcmlpd32.dll Epnkfq32.exe File opened for modification C:\Windows\SysWOW64\Famhqclj.exe Ejfpofkh.exe File opened for modification C:\Windows\SysWOW64\Opmnle32.exe Olablfbm.exe File created C:\Windows\SysWOW64\Nlgeffnb.dll Elahkl32.exe File created C:\Windows\SysWOW64\Hoacek32.dll Hmphfc32.exe File created C:\Windows\SysWOW64\Hbmpoj32.exe Hpodbo32.exe File opened for modification C:\Windows\SysWOW64\Hinolcbf.exe Hbdfoiki.exe File created C:\Windows\SysWOW64\Nbknjm32.exe Npmana32.exe File created C:\Windows\SysWOW64\Pkjkdfjk.exe Pdpcgl32.exe File created C:\Windows\SysWOW64\Ilohnopg.exe Idhplaoe.exe File opened for modification C:\Windows\SysWOW64\Kkkgnmqb.exe Kgoknohj.exe File created C:\Windows\SysWOW64\Hdiepmak.dll Belhem32.exe File opened for modification C:\Windows\SysWOW64\Kdckgc32.exe Kaeokg32.exe File created C:\Windows\SysWOW64\Kpjlldmg.exe Knlpphnd.exe File opened for modification C:\Windows\SysWOW64\Gcpfbhof.exe Gqajfmpb.exe File created C:\Windows\SysWOW64\Bibagmhk.exe Bbhikcpn.exe File created C:\Windows\SysWOW64\Dadikaaj.exe Dmimkc32.exe File created C:\Windows\SysWOW64\Hjlhcegl.exe Hgnkgjgh.exe File created C:\Windows\SysWOW64\Pffdfm32.dll Gbhpidak.exe File created C:\Windows\SysWOW64\Fmnjbi32.dll Clcghk32.exe File created C:\Windows\SysWOW64\Ibfkoi32.dll Fndhed32.exe File opened for modification C:\Windows\SysWOW64\Jndjoi32.exe Jlcmhann.exe File created C:\Windows\SysWOW64\Gjeedcjh.exe Gfjicd32.exe File created C:\Windows\SysWOW64\Caapeidl.dll Dpqlmm32.exe File opened for modification C:\Windows\SysWOW64\Phcbmend.exe Ppmjkhma.exe File created C:\Windows\SysWOW64\Nbeeolfd.dll Bnemnbmm.exe File created C:\Windows\SysWOW64\Bjjdpdga.exe Bglhcihn.exe File opened for modification C:\Windows\SysWOW64\Hfmfjh32.exe Hnfnik32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6352 6328 WerFault.exe 586 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqmqkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjbecqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmacqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chldbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhfiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqajfmpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbacdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhkdgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldeakgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpolli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqlmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kooimpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfngdmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeejpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejcnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchhholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbodk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnajl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomcgfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgcfmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacnpoqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipefba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodfilko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbebjpaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmclem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doibhekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpgfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbbmjhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedlph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olcoaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcipaien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflanc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfaachpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajokmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphgpnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkkgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihehbpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndadld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadikaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolondiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjdpdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieepad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlqao32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkpacaoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpolli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldedlfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieebfp32.dll" Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omfoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebhog32.dll" Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kooimpao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahcoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbnfi32.dll" Emeejpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fobamgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgbemjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apneip32.dll" Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbbodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoiddi32.dll" Qjnajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deepbglo.dll" Cijmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhplce32.dll" Gqajfmpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmioem32.dll" Imgjfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkainp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adaeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpjfblj.dll" Eaoadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmclem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgocfoac.dll" Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidofdip.dll" Bkdclgpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Belhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhofa32.dll" Bbhikcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfkmdlc.dll" Dmcidqlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eklicjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekmoh32.dll" Ajidnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokfkini.dll" Bcfbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dophid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfhgh32.dll" Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adgihkmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Higikdhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfaodclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcghm32.dll" Olklmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midgogjn.dll" Bamfloef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njnion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgpcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfndjil.dll" Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggmbo32.dll" Gfobndnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmhkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fffckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njklioqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndfmgdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnnflbo.dll" Oejfelin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfaodclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Holqbipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fffckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqnbffkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehnnddk.dll" Mnbbpkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olfkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Angmdoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqbeapqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpjfl32.dll" Okmena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapiemhn.dll" Qoimmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2756 2256 d6f00b3fd1f3362533264958b9744130N.exe 29 PID 2256 wrote to memory of 2756 2256 d6f00b3fd1f3362533264958b9744130N.exe 29 PID 2256 wrote to memory of 2756 2256 d6f00b3fd1f3362533264958b9744130N.exe 29 PID 2256 wrote to memory of 2756 2256 d6f00b3fd1f3362533264958b9744130N.exe 29 PID 2756 wrote to memory of 2320 2756 Ohifch32.exe 30 PID 2756 wrote to memory of 2320 2756 Ohifch32.exe 30 PID 2756 wrote to memory of 2320 2756 Ohifch32.exe 30 PID 2756 wrote to memory of 2320 2756 Ohifch32.exe 30 PID 2320 wrote to memory of 2708 2320 Omfoko32.exe 31 PID 2320 wrote to memory of 2708 2320 Omfoko32.exe 31 PID 2320 wrote to memory of 2708 2320 Omfoko32.exe 31 PID 2320 wrote to memory of 2708 2320 Omfoko32.exe 31 PID 2708 wrote to memory of 2836 2708 Omfoko32.exe 32 PID 2708 wrote to memory of 2836 2708 Omfoko32.exe 32 PID 2708 wrote to memory of 2836 2708 Omfoko32.exe 32 PID 2708 wrote to memory of 2836 2708 Omfoko32.exe 32 PID 2836 wrote to memory of 2728 2836 Oaaklmao.exe 33 PID 2836 wrote to memory of 2728 2836 Oaaklmao.exe 33 PID 2836 wrote to memory of 2728 2836 Oaaklmao.exe 33 PID 2836 wrote to memory of 2728 2836 Oaaklmao.exe 33 PID 2728 wrote to memory of 2704 2728 Olklmk32.exe 34 PID 2728 wrote to memory of 2704 2728 Olklmk32.exe 34 PID 2728 wrote to memory of 2704 2728 Olklmk32.exe 34 PID 2728 wrote to memory of 2704 2728 Olklmk32.exe 34 PID 2704 wrote to memory of 2584 2704 Oecpeqdo.exe 35 PID 2704 wrote to memory of 2584 2704 Oecpeqdo.exe 35 PID 2704 wrote to memory of 2584 2704 Oecpeqdo.exe 35 PID 2704 wrote to memory of 2584 2704 Oecpeqdo.exe 35 PID 2584 wrote to memory of 1632 2584 Plnhbk32.exe 36 PID 2584 wrote to memory of 1632 2584 Plnhbk32.exe 36 PID 2584 wrote to memory of 1632 2584 Plnhbk32.exe 36 PID 2584 wrote to memory of 1632 2584 Plnhbk32.exe 36 PID 1632 wrote to memory of 1744 1632 Poldnf32.exe 37 PID 1632 wrote to memory of 1744 1632 Poldnf32.exe 37 PID 1632 wrote to memory of 1744 1632 Poldnf32.exe 37 PID 1632 wrote to memory of 1744 1632 Poldnf32.exe 37 PID 1744 wrote to memory of 888 1744 Pcgqoech.exe 38 PID 1744 wrote to memory of 888 1744 Pcgqoech.exe 38 PID 1744 wrote to memory of 888 1744 Pcgqoech.exe 38 PID 1744 wrote to memory of 888 1744 Pcgqoech.exe 38 PID 888 wrote to memory of 2628 888 Plpehj32.exe 39 PID 888 wrote to memory of 2628 888 Plpehj32.exe 39 PID 888 wrote to memory of 2628 888 Plpehj32.exe 39 PID 888 wrote to memory of 2628 888 Plpehj32.exe 39 PID 2628 wrote to memory of 2636 2628 Pamnpahp.exe 40 PID 2628 wrote to memory of 2636 2628 Pamnpahp.exe 40 PID 2628 wrote to memory of 2636 2628 Pamnpahp.exe 40 PID 2628 wrote to memory of 2636 2628 Pamnpahp.exe 40 PID 2636 wrote to memory of 904 2636 Plbbmjhf.exe 41 PID 2636 wrote to memory of 904 2636 Plbbmjhf.exe 41 PID 2636 wrote to memory of 904 2636 Plbbmjhf.exe 41 PID 2636 wrote to memory of 904 2636 Plbbmjhf.exe 41 PID 904 wrote to memory of 1856 904 Paojeafn.exe 42 PID 904 wrote to memory of 1856 904 Paojeafn.exe 42 PID 904 wrote to memory of 1856 904 Paojeafn.exe 42 PID 904 wrote to memory of 1856 904 Paojeafn.exe 42 PID 1856 wrote to memory of 2232 1856 Phibbk32.exe 43 PID 1856 wrote to memory of 2232 1856 Phibbk32.exe 43 PID 1856 wrote to memory of 2232 1856 Phibbk32.exe 43 PID 1856 wrote to memory of 2232 1856 Phibbk32.exe 43 PID 2232 wrote to memory of 2088 2232 Pdpcgl32.exe 44 PID 2232 wrote to memory of 2088 2232 Pdpcgl32.exe 44 PID 2232 wrote to memory of 2088 2232 Pdpcgl32.exe 44 PID 2232 wrote to memory of 2088 2232 Pdpcgl32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6f00b3fd1f3362533264958b9744130N.exe"C:\Users\Admin\AppData\Local\Temp\d6f00b3fd1f3362533264958b9744130N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe33⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Amidmldj.exeC:\Windows\system32\Amidmldj.exe34⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe36⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe39⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe42⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe43⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe46⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:524 -
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Bpgmhkfi.exeC:\Windows\system32\Bpgmhkfi.exe50⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe51⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe52⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe53⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Cplfcj32.exeC:\Windows\system32\Cplfcj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe59⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Chgkgmoo.exeC:\Windows\system32\Chgkgmoo.exe60⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe62⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Capopb32.exeC:\Windows\system32\Capopb32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe64⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe65⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe67⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe68⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Dmimkc32.exeC:\Windows\system32\Dmimkc32.exe69⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe71⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe73⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Ddeammok.exeC:\Windows\system32\Ddeammok.exe74⤵PID:2388
-
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe75⤵PID:1128
-
C:\Windows\SysWOW64\Dibjec32.exeC:\Windows\system32\Dibjec32.exe76⤵PID:1640
-
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe78⤵PID:2544
-
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe79⤵PID:568
-
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe80⤵PID:2184
-
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe81⤵PID:1088
-
C:\Windows\SysWOW64\Dcmkciap.exeC:\Windows\system32\Dcmkciap.exe82⤵PID:2304
-
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe83⤵PID:2028
-
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe86⤵PID:532
-
C:\Windows\SysWOW64\Ehlqao32.exeC:\Windows\system32\Ehlqao32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe88⤵PID:336
-
C:\Windows\SysWOW64\Ecaeoh32.exeC:\Windows\system32\Ecaeoh32.exe89⤵PID:3036
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe90⤵PID:1760
-
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe91⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Eklicjkf.exeC:\Windows\system32\Eklicjkf.exe93⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Eccadhkh.exeC:\Windows\system32\Eccadhkh.exe94⤵PID:2200
-
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe95⤵PID:2240
-
C:\Windows\SysWOW64\Ellfmm32.exeC:\Windows\system32\Ellfmm32.exe96⤵PID:2832
-
C:\Windows\SysWOW64\Ekofijic.exeC:\Windows\system32\Ekofijic.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Eained32.exeC:\Windows\system32\Eained32.exe98⤵PID:2568
-
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe99⤵PID:2748
-
C:\Windows\SysWOW64\Ehbgbngm.exeC:\Windows\system32\Ehbgbngm.exe100⤵PID:2912
-
C:\Windows\SysWOW64\Enpoje32.exeC:\Windows\system32\Enpoje32.exe101⤵PID:2068
-
C:\Windows\SysWOW64\Eakkkdnm.exeC:\Windows\system32\Eakkkdnm.exe102⤵PID:1880
-
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe103⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Eghcckld.exeC:\Windows\system32\Eghcckld.exe104⤵PID:2968
-
C:\Windows\SysWOW64\Ekcpdi32.exeC:\Windows\system32\Ekcpdi32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Ejfpofkh.exeC:\Windows\system32\Ejfpofkh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Famhqclj.exeC:\Windows\system32\Famhqclj.exe107⤵PID:2408
-
C:\Windows\SysWOW64\Fdldmokn.exeC:\Windows\system32\Fdldmokn.exe108⤵PID:3048
-
C:\Windows\SysWOW64\Fgjpijjb.exeC:\Windows\system32\Fgjpijjb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Fndhed32.exeC:\Windows\system32\Fndhed32.exe110⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Fqbeapqb.exeC:\Windows\system32\Fqbeapqb.exe111⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fgmmnj32.exeC:\Windows\system32\Fgmmnj32.exe112⤵PID:3016
-
C:\Windows\SysWOW64\Fnfekdpl.exeC:\Windows\system32\Fnfekdpl.exe113⤵PID:1300
-
C:\Windows\SysWOW64\Fliefa32.exeC:\Windows\system32\Fliefa32.exe114⤵PID:2972
-
C:\Windows\SysWOW64\Fccncknc.exeC:\Windows\system32\Fccncknc.exe115⤵PID:936
-
C:\Windows\SysWOW64\Fgojdj32.exeC:\Windows\system32\Fgojdj32.exe116⤵PID:1304
-
C:\Windows\SysWOW64\Fmlblq32.exeC:\Windows\system32\Fmlblq32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Fojnhlch.exeC:\Windows\system32\Fojnhlch.exe118⤵PID:2988
-
C:\Windows\SysWOW64\Fbhkdgbk.exeC:\Windows\system32\Fbhkdgbk.exe119⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe120⤵PID:2552
-
C:\Windows\SysWOW64\Folknlae.exeC:\Windows\system32\Folknlae.exe121⤵PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-