Analysis
-
max time kernel
86s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 02:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe
-
Size
96KB
-
MD5
cf03f33182adbb91abbf54f1d7bb9cd9
-
SHA1
e521c36082899fd4769071502722ffa5f4e20185
-
SHA256
b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9
-
SHA512
d873239a21080f54c956ffa709905d185f375e52f14823c41efa68fddbe689c74bb16fd5b54cf785ef68f915f13b9cd8cac9d4821940b70377b41816142a8685
-
SSDEEP
1536:mcbj29TFN02VWatFFtEPxDIfJI0qOS38/InjK/fGExO+WhrUQVoMdUT+irF:a96+FCpDOVC8Anu/fz9Whr1Rhk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccinnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokkkgpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dechlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgfbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bonenbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flbgak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdnjlcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokpcekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeljlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogldfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmicnhob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohljcnlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkggel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppgfkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbjjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfljpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogqpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjfbikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfcabeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbhlilip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeeadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckoblapc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beccgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjlldmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmmgafjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjgopop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbdbomn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cekihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boggkicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjnhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clhgnagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjocja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajcbpbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inmdjjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekiaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkheal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enjmlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iicoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bclbhkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phphgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohfmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjfbikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifngiqlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpipkgi.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Dnpedghl.exe 988 Dlfbck32.exe 2428 Djkodg32.exe 2860 Ejmljg32.exe 2744 Eibikc32.exe 2112 Effidg32.exe 2640 Eelfedpa.exe 2304 Eenckc32.exe 1168 Fholmo32.exe 1252 Fhaibnim.exe 2972 Fhfbmn32.exe 1792 Fmbkfd32.exe 1968 Glhhgahg.exe 2200 Gngdadoj.exe 2260 Gcfioj32.exe 2296 Gdjblboj.exe 932 Hkfgnldd.exe 964 Hdailaib.exe 1780 Hdcebagp.exe 268 Hmojfcdk.exe 1348 Iiekkdjo.exe 2572 Ickoimie.exe 2548 Ikfdmogp.exe 544 Ikhqbo32.exe 3068 Iofiimkd.exe 3040 Ijpjik32.exe 2148 Jfigdl32.exe 2240 Jcmhmp32.exe 2876 Jijqeg32.exe 2784 Jilmkffb.exe 1408 Kmjfae32.exe 2856 Kiccle32.exe 2748 Kldlmqml.exe 1708 Ldangbhd.exe 2512 Lddjmb32.exe 2000 Lcignoki.exe 2956 Lpodmb32.exe 1544 Lhkiae32.exe 828 Mognco32.exe 108 Mhobldaf.exe 2272 Mdfcaegj.exe 2468 Mkplnp32.exe 1096 Mdkmld32.exe 1552 Nncaejie.exe 236 Nhmbfhfd.exe 1308 Ncbfcq32.exe 1668 Nkmkgc32.exe 2132 Nmmgafjh.exe 2484 Nfeljlqh.exe 3044 Nkbdbbop.exe 1584 Oqomkimg.exe 1100 Oncndnlq.exe 1864 Ogkbmcba.exe 2780 Onejjm32.exe 2828 Onggom32.exe 2632 Ocdohdfc.exe 1228 Ojnhdn32.exe 1364 Opkpme32.exe 2520 Picdejbg.exe 3064 Pciiccbm.exe 1744 Pldnge32.exe 3016 Pfjbdn32.exe 532 Pnefiq32.exe 632 Pikkfilp.exe -
Loads dropped DLL 64 IoCs
pid Process 2552 b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe 2552 b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe 2192 Dnpedghl.exe 2192 Dnpedghl.exe 988 Dlfbck32.exe 988 Dlfbck32.exe 2428 Djkodg32.exe 2428 Djkodg32.exe 2860 Ejmljg32.exe 2860 Ejmljg32.exe 2744 Eibikc32.exe 2744 Eibikc32.exe 2112 Effidg32.exe 2112 Effidg32.exe 2640 Eelfedpa.exe 2640 Eelfedpa.exe 2304 Eenckc32.exe 2304 Eenckc32.exe 1168 Fholmo32.exe 1168 Fholmo32.exe 1252 Fhaibnim.exe 1252 Fhaibnim.exe 2972 Fhfbmn32.exe 2972 Fhfbmn32.exe 1792 Fmbkfd32.exe 1792 Fmbkfd32.exe 1968 Glhhgahg.exe 1968 Glhhgahg.exe 2200 Gngdadoj.exe 2200 Gngdadoj.exe 2260 Gcfioj32.exe 2260 Gcfioj32.exe 2296 Gdjblboj.exe 2296 Gdjblboj.exe 932 Hkfgnldd.exe 932 Hkfgnldd.exe 964 Hdailaib.exe 964 Hdailaib.exe 1780 Hdcebagp.exe 1780 Hdcebagp.exe 268 Hmojfcdk.exe 268 Hmojfcdk.exe 1348 Iiekkdjo.exe 1348 Iiekkdjo.exe 2572 Ickoimie.exe 2572 Ickoimie.exe 2548 Ikfdmogp.exe 2548 Ikfdmogp.exe 544 Ikhqbo32.exe 544 Ikhqbo32.exe 3068 Iofiimkd.exe 3068 Iofiimkd.exe 2332 Jnncoini.exe 2332 Jnncoini.exe 2148 Jfigdl32.exe 2148 Jfigdl32.exe 2240 Jcmhmp32.exe 2240 Jcmhmp32.exe 2876 Jijqeg32.exe 2876 Jijqeg32.exe 2784 Jilmkffb.exe 2784 Jilmkffb.exe 1408 Kmjfae32.exe 1408 Kmjfae32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnbeacbd.exe Pqodho32.exe File opened for modification C:\Windows\SysWOW64\Poqniegj.exe Plbbmjhf.exe File opened for modification C:\Windows\SysWOW64\Dpifln32.exe Ddbegmqm.exe File opened for modification C:\Windows\SysWOW64\Epamlegl.exe Efihcpqk.exe File created C:\Windows\SysWOW64\Mkbjgp32.dll Baoahf32.exe File created C:\Windows\SysWOW64\Inlepl32.dll Jnncoini.exe File opened for modification C:\Windows\SysWOW64\Kldlmqml.exe Kiccle32.exe File created C:\Windows\SysWOW64\Jgnflmia.exe Jjjfbikh.exe File opened for modification C:\Windows\SysWOW64\Pjbnmm32.exe Oohmmojn.exe File opened for modification C:\Windows\SysWOW64\Hdmdcc32.exe Haoggh32.exe File opened for modification C:\Windows\SysWOW64\Plbbmjhf.exe Pehiqp32.exe File opened for modification C:\Windows\SysWOW64\Gcfioj32.exe Gngdadoj.exe File created C:\Windows\SysWOW64\Ahlejlon.dll Gkojcgga.exe File created C:\Windows\SysWOW64\Qjnaimap.dll Fnkchahn.exe File created C:\Windows\SysWOW64\Fiomhc32.exe Fqhegf32.exe File created C:\Windows\SysWOW64\Bmkegaif.dll Dokmel32.exe File opened for modification C:\Windows\SysWOW64\Kkbdib32.exe Kdhlmhgj.exe File opened for modification C:\Windows\SysWOW64\Adnomfqc.exe Alfflhpa.exe File opened for modification C:\Windows\SysWOW64\Pdegnn32.exe Oljbil32.exe File created C:\Windows\SysWOW64\Dejnme32.exe Dnbfkh32.exe File created C:\Windows\SysWOW64\Gmcogf32.exe Gfigkljk.exe File created C:\Windows\SysWOW64\Mdkmld32.exe Mkplnp32.exe File created C:\Windows\SysWOW64\Nahhfoij.exe Nlkonhkb.exe File opened for modification C:\Windows\SysWOW64\Linoeccp.exe Lohkhjcj.exe File created C:\Windows\SysWOW64\Bnndce32.dll Mmepboin.exe File created C:\Windows\SysWOW64\Enjmlgoj.exe Ecdhonoc.exe File opened for modification C:\Windows\SysWOW64\Jcmhmp32.exe Jfigdl32.exe File created C:\Windows\SysWOW64\Jieqjmnb.dll Nogodcli.exe File created C:\Windows\SysWOW64\Bclbhkdj.exe Bbkfpb32.exe File created C:\Windows\SysWOW64\Leghlp32.dll Npgppdpc.exe File created C:\Windows\SysWOW64\Ljjkgfig.exe Kemcookp.exe File opened for modification C:\Windows\SysWOW64\Lddjmb32.exe Ldangbhd.exe File created C:\Windows\SysWOW64\Picdejbg.exe Opkpme32.exe File created C:\Windows\SysWOW64\Cajmbd32.exe Chahin32.exe File created C:\Windows\SysWOW64\Pdcjhkpn.dll Pdhdcnng.exe File created C:\Windows\SysWOW64\Falnbokn.dll Ddjbbbna.exe File created C:\Windows\SysWOW64\Fkipiodd.exe Fmfpnb32.exe File created C:\Windows\SysWOW64\Cmhmca32.dll Njeikpij.exe File opened for modification C:\Windows\SysWOW64\Fhlhmi32.exe Fncddc32.exe File opened for modification C:\Windows\SysWOW64\Ggekhhle.exe Gpkckneh.exe File created C:\Windows\SysWOW64\Ikqcgj32.exe Hfdkoc32.exe File created C:\Windows\SysWOW64\Eqhfoj32.exe Ekiaac32.exe File created C:\Windows\SysWOW64\Linanl32.exe Lmgaikep.exe File created C:\Windows\SysWOW64\Bifcdc32.dll Opaeok32.exe File created C:\Windows\SysWOW64\Fdhidgbq.dll Joaebkni.exe File created C:\Windows\SysWOW64\Bdgbjm32.dll Olapcm32.exe File created C:\Windows\SysWOW64\Fjlaod32.exe Fadmenpg.exe File created C:\Windows\SysWOW64\Lokpcekn.exe Liaggk32.exe File created C:\Windows\SysWOW64\Qeokhe32.dll Cibnfpjg.exe File opened for modification C:\Windows\SysWOW64\Cdphbm32.exe Cocpjf32.exe File created C:\Windows\SysWOW64\Lkclin32.dll Fholmo32.exe File created C:\Windows\SysWOW64\Cpcaeghc.exe Cpadpg32.exe File created C:\Windows\SysWOW64\Odcnabap.dll Pnhegi32.exe File created C:\Windows\SysWOW64\Ikfdmogp.exe Ickoimie.exe File created C:\Windows\SysWOW64\Minkceml.dll Mnllppfh.exe File opened for modification C:\Windows\SysWOW64\Gddbfm32.exe Gaffja32.exe File opened for modification C:\Windows\SysWOW64\Nolffjap.exe Necandjo.exe File created C:\Windows\SysWOW64\Lmhnknmi.dll Qedjib32.exe File opened for modification C:\Windows\SysWOW64\Pkalph32.exe Pdhdcnng.exe File created C:\Windows\SysWOW64\Nkbdbbop.exe Nfeljlqh.exe File created C:\Windows\SysWOW64\Kidlodkj.exe Kplhfo32.exe File created C:\Windows\SysWOW64\Igmppcpm.exe Ipbgci32.exe File created C:\Windows\SysWOW64\Lbiapmah.dll Ndlanf32.exe File created C:\Windows\SysWOW64\Bfoeei32.dll Jdpmij32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5812 5788 WerFault.exe 726 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifngiqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafmhcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfpnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmfdfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckoblapc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akahokho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnloa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liaggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnmmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epamlegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqniihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdhidqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbdib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeahjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkojcgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljdcqek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmehlibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neagan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabjbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjbof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibafhmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjbdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeommfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcooinfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqncnjan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqodho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnmapk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnllppfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhehoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhlilip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqnghfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgaikep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgjoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckcak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnkdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkakad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhhjhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picdejbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjfbikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbkdkdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgndnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eligoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmkhmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbagaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgppdpc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddgnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmdmcpk.dll" Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pciiccbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpieli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegpokc.dll" Cffejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egdnjlcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcdihah.dll" Nahhfoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapnhh32.dll" Qdbpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbbcn32.dll" Eebnqcjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdpikmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hghhngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blelpeoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnndce32.dll" Mmepboin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhkgeqj.dll" Jflikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjoheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbkhp32.dll" Dpifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhbee32.dll" Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banmnqac.dll" Jmfoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injlmcib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdnkj32.dll" Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckglknof.dll" Cbpbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnnpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Almmlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhobbqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgmldhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagegjio.dll" Chdlidjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogeln32.dll" Hjkneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdlhc32.dll" Ckoblapc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqicio32.dll" Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhklibbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdfcaegj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inbobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagknhgp.dll" Bjclfmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnfnlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipkkhckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooabjbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbcpo32.dll" Lepfoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjdhb32.dll" Qjcmoqlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnkggjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feiamj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpbkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmpafnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggppeg32.dll" Kgibeklf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmepmj32.dll" Mihngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmflmfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epflbbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjakio32.dll" Eojbii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjbljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljjkgfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Medggj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljljenoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkjkdfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbehp32.dll" Bcnomjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfkphnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcmkoiee.dll" Dpbgghhl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2192 2552 b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe 29 PID 2552 wrote to memory of 2192 2552 b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe 29 PID 2552 wrote to memory of 2192 2552 b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe 29 PID 2552 wrote to memory of 2192 2552 b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe 29 PID 2192 wrote to memory of 988 2192 Dnpedghl.exe 30 PID 2192 wrote to memory of 988 2192 Dnpedghl.exe 30 PID 2192 wrote to memory of 988 2192 Dnpedghl.exe 30 PID 2192 wrote to memory of 988 2192 Dnpedghl.exe 30 PID 988 wrote to memory of 2428 988 Dlfbck32.exe 31 PID 988 wrote to memory of 2428 988 Dlfbck32.exe 31 PID 988 wrote to memory of 2428 988 Dlfbck32.exe 31 PID 988 wrote to memory of 2428 988 Dlfbck32.exe 31 PID 2428 wrote to memory of 2860 2428 Djkodg32.exe 32 PID 2428 wrote to memory of 2860 2428 Djkodg32.exe 32 PID 2428 wrote to memory of 2860 2428 Djkodg32.exe 32 PID 2428 wrote to memory of 2860 2428 Djkodg32.exe 32 PID 2860 wrote to memory of 2744 2860 Ejmljg32.exe 33 PID 2860 wrote to memory of 2744 2860 Ejmljg32.exe 33 PID 2860 wrote to memory of 2744 2860 Ejmljg32.exe 33 PID 2860 wrote to memory of 2744 2860 Ejmljg32.exe 33 PID 2744 wrote to memory of 2112 2744 Eibikc32.exe 34 PID 2744 wrote to memory of 2112 2744 Eibikc32.exe 34 PID 2744 wrote to memory of 2112 2744 Eibikc32.exe 34 PID 2744 wrote to memory of 2112 2744 Eibikc32.exe 34 PID 2112 wrote to memory of 2640 2112 Effidg32.exe 35 PID 2112 wrote to memory of 2640 2112 Effidg32.exe 35 PID 2112 wrote to memory of 2640 2112 Effidg32.exe 35 PID 2112 wrote to memory of 2640 2112 Effidg32.exe 35 PID 2640 wrote to memory of 2304 2640 Eelfedpa.exe 36 PID 2640 wrote to memory of 2304 2640 Eelfedpa.exe 36 PID 2640 wrote to memory of 2304 2640 Eelfedpa.exe 36 PID 2640 wrote to memory of 2304 2640 Eelfedpa.exe 36 PID 2304 wrote to memory of 1168 2304 Eenckc32.exe 37 PID 2304 wrote to memory of 1168 2304 Eenckc32.exe 37 PID 2304 wrote to memory of 1168 2304 Eenckc32.exe 37 PID 2304 wrote to memory of 1168 2304 Eenckc32.exe 37 PID 1168 wrote to memory of 1252 1168 Fholmo32.exe 38 PID 1168 wrote to memory of 1252 1168 Fholmo32.exe 38 PID 1168 wrote to memory of 1252 1168 Fholmo32.exe 38 PID 1168 wrote to memory of 1252 1168 Fholmo32.exe 38 PID 1252 wrote to memory of 2972 1252 Fhaibnim.exe 39 PID 1252 wrote to memory of 2972 1252 Fhaibnim.exe 39 PID 1252 wrote to memory of 2972 1252 Fhaibnim.exe 39 PID 1252 wrote to memory of 2972 1252 Fhaibnim.exe 39 PID 2972 wrote to memory of 1792 2972 Fhfbmn32.exe 40 PID 2972 wrote to memory of 1792 2972 Fhfbmn32.exe 40 PID 2972 wrote to memory of 1792 2972 Fhfbmn32.exe 40 PID 2972 wrote to memory of 1792 2972 Fhfbmn32.exe 40 PID 1792 wrote to memory of 1968 1792 Fmbkfd32.exe 41 PID 1792 wrote to memory of 1968 1792 Fmbkfd32.exe 41 PID 1792 wrote to memory of 1968 1792 Fmbkfd32.exe 41 PID 1792 wrote to memory of 1968 1792 Fmbkfd32.exe 41 PID 1968 wrote to memory of 2200 1968 Glhhgahg.exe 42 PID 1968 wrote to memory of 2200 1968 Glhhgahg.exe 42 PID 1968 wrote to memory of 2200 1968 Glhhgahg.exe 42 PID 1968 wrote to memory of 2200 1968 Glhhgahg.exe 42 PID 2200 wrote to memory of 2260 2200 Gngdadoj.exe 43 PID 2200 wrote to memory of 2260 2200 Gngdadoj.exe 43 PID 2200 wrote to memory of 2260 2200 Gngdadoj.exe 43 PID 2200 wrote to memory of 2260 2200 Gngdadoj.exe 43 PID 2260 wrote to memory of 2296 2260 Gcfioj32.exe 44 PID 2260 wrote to memory of 2296 2260 Gcfioj32.exe 44 PID 2260 wrote to memory of 2296 2260 Gcfioj32.exe 44 PID 2260 wrote to memory of 2296 2260 Gcfioj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe"C:\Users\Admin\AppData\Local\Temp\b7bfbe535d0ee0c9ebbcc8e3e58d2b23af6242307cb495ce549d0af906e89ed9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe27⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe28⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Jcmhmp32.exeC:\Windows\system32\Jcmhmp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe35⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe37⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe38⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe39⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe40⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe41⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe42⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe45⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe46⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe47⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe48⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe52⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Oqomkimg.exeC:\Windows\system32\Oqomkimg.exe53⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe54⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe55⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe57⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe58⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe59⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe63⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe65⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe66⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe67⤵PID:948
-
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Qahlpkhh.exeC:\Windows\system32\Qahlpkhh.exe69⤵PID:1656
-
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe70⤵PID:2208
-
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe71⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe72⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Alfflhpa.exeC:\Windows\system32\Alfflhpa.exe73⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe74⤵PID:2900
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe75⤵PID:2796
-
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Aeahjn32.exeC:\Windows\system32\Aeahjn32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe78⤵PID:2920
-
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe79⤵PID:1568
-
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe80⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe81⤵PID:2068
-
C:\Windows\SysWOW64\Aefaemqj.exeC:\Windows\system32\Aefaemqj.exe82⤵PID:3032
-
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe84⤵PID:1800
-
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe85⤵PID:1712
-
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe86⤵PID:1860
-
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe87⤵PID:1380
-
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Blklfk32.exeC:\Windows\system32\Blklfk32.exe89⤵PID:3048
-
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe90⤵PID:2732
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe91⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe92⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ccinnd32.exeC:\Windows\system32\Ccinnd32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe94⤵PID:2612
-
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe96⤵PID:1032
-
C:\Windows\SysWOW64\Cdpdpl32.exeC:\Windows\system32\Cdpdpl32.exe97⤵PID:1372
-
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe98⤵PID:1016
-
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe99⤵PID:2228
-
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe100⤵PID:752
-
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe101⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe102⤵PID:560
-
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe103⤵PID:968
-
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe104⤵PID:1048
-
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe105⤵PID:2872
-
C:\Windows\SysWOW64\Ebemnc32.exeC:\Windows\system32\Ebemnc32.exe106⤵PID:2124
-
C:\Windows\SysWOW64\Eedijo32.exeC:\Windows\system32\Eedijo32.exe107⤵PID:764
-
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe108⤵PID:1592
-
C:\Windows\SysWOW64\Eakjophb.exeC:\Windows\system32\Eakjophb.exe109⤵PID:2424
-
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe110⤵PID:2348
-
C:\Windows\SysWOW64\Ebjfiboe.exeC:\Windows\system32\Ebjfiboe.exe111⤵PID:2092
-
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe112⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe113⤵PID:912
-
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe114⤵PID:2472
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe115⤵PID:2844
-
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe116⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe117⤵PID:2104
-
C:\Windows\SysWOW64\Fimedaoe.exeC:\Windows\system32\Fimedaoe.exe118⤵PID:2044
-
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe119⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe120⤵PID:768
-
C:\Windows\SysWOW64\Flnnfllf.exeC:\Windows\system32\Flnnfllf.exe121⤵PID:1548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-