Analysis
-
max time kernel
44s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 05:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61b2f1853716dc27d5f1bf45b81978a0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
61b2f1853716dc27d5f1bf45b81978a0N.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
61b2f1853716dc27d5f1bf45b81978a0N.exe
-
Size
79KB
-
MD5
61b2f1853716dc27d5f1bf45b81978a0
-
SHA1
03c5479132567f8d572815e2a961bcd8b1ede5ca
-
SHA256
3a00a31223cc6a36092c995aaf184a91f345ad553f93438c684a8608f8227946
-
SHA512
ffb268b0d042786c428249847a1ac7db27983f62bf57bb67504a8c331b5856465efe07864ef158a78f533bc23f1b0ffdba724e4033988fb8d3491010a14b26a5
-
SSDEEP
1536:y4ANhp4A3igH73lsmcX38NkUE7miFkSIgiItKq9v6DK:3ANHT3iC73lsmonUECixtBtKq9vV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdppqbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhahkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeaiime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foolgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkmie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindeddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdppqbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnqlmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcapd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfemmna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boemlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehcij32.exe -
Executes dropped EXE 64 IoCs
pid Process 2688 Eipgjaoi.exe 2772 Fpjofl32.exe 2592 Fchkbg32.exe 2672 Feggob32.exe 2680 Fibcoalf.exe 1884 Foolgh32.exe 2912 Fgfdie32.exe 2356 Fpohakbp.exe 1716 Fapeic32.exe 264 Felajbpg.exe 2736 Fhjmfnok.exe 1840 Fkhibino.exe 2968 Fcpacf32.exe 2440 Fdqnkoep.exe 2408 Flhflleb.exe 1640 Fnibcd32.exe 1364 Fepjea32.exe 2120 Ghofam32.exe 1256 Gkmbmh32.exe 1340 Goiongbc.exe 1252 Gpjkeoha.exe 2080 Gkoobhhg.exe 2040 Gnnlocgk.exe 2644 Gkalhgfd.exe 600 Gnphdceh.exe 1700 Gqodqodl.exe 2712 Gfkmie32.exe 2948 Gnbejb32.exe 2580 Godaakic.exe 2572 Gjifodii.exe 2600 Ghlfjq32.exe 3044 Hbdjcffd.exe 2596 Hjlbdc32.exe 1508 Hohkmj32.exe 800 Hbggif32.exe 528 Hfbcidmk.exe 1732 Hkolakkb.exe 1836 Hnnhngjf.exe 2132 Hbidne32.exe 2036 Hkahgk32.exe 2140 Homdhjai.exe 712 Hghillnd.exe 2516 Hkdemk32.exe 956 Haqnea32.exe 1720 Heliepmn.exe 1500 Hgkfal32.exe 112 Ikfbbjdj.exe 2016 Indnnfdn.exe 2800 Imgnjb32.exe 1584 Iacjjacb.exe 2676 Icafgmbe.exe 2636 Igmbgk32.exe 2612 Imjkpb32.exe 1756 Iphgln32.exe 2880 Igoomk32.exe 2656 Ijnkifgp.exe 1616 Imlhebfc.exe 1636 Ipjdameg.exe 772 Ibipmiek.exe 2976 Ijphofem.exe 1356 Imodkadq.exe 2092 Iladfn32.exe 2060 Ichmgl32.exe 960 Ibkmchbh.exe -
Loads dropped DLL 64 IoCs
pid Process 1904 61b2f1853716dc27d5f1bf45b81978a0N.exe 1904 61b2f1853716dc27d5f1bf45b81978a0N.exe 2688 Eipgjaoi.exe 2688 Eipgjaoi.exe 2772 Fpjofl32.exe 2772 Fpjofl32.exe 2592 Fchkbg32.exe 2592 Fchkbg32.exe 2672 Feggob32.exe 2672 Feggob32.exe 2680 Fibcoalf.exe 2680 Fibcoalf.exe 1884 Foolgh32.exe 1884 Foolgh32.exe 2912 Fgfdie32.exe 2912 Fgfdie32.exe 2356 Fpohakbp.exe 2356 Fpohakbp.exe 1716 Fapeic32.exe 1716 Fapeic32.exe 264 Felajbpg.exe 264 Felajbpg.exe 2736 Fhjmfnok.exe 2736 Fhjmfnok.exe 1840 Fkhibino.exe 1840 Fkhibino.exe 2968 Fcpacf32.exe 2968 Fcpacf32.exe 2440 Fdqnkoep.exe 2440 Fdqnkoep.exe 2408 Flhflleb.exe 2408 Flhflleb.exe 1640 Fnibcd32.exe 1640 Fnibcd32.exe 1364 Fepjea32.exe 1364 Fepjea32.exe 2120 Ghofam32.exe 2120 Ghofam32.exe 1256 Gkmbmh32.exe 1256 Gkmbmh32.exe 1340 Goiongbc.exe 1340 Goiongbc.exe 1252 Gpjkeoha.exe 1252 Gpjkeoha.exe 2080 Gkoobhhg.exe 2080 Gkoobhhg.exe 2040 Gnnlocgk.exe 2040 Gnnlocgk.exe 2644 Gkalhgfd.exe 2644 Gkalhgfd.exe 600 Gnphdceh.exe 600 Gnphdceh.exe 1700 Gqodqodl.exe 1700 Gqodqodl.exe 2712 Gfkmie32.exe 2712 Gfkmie32.exe 2948 Gnbejb32.exe 2948 Gnbejb32.exe 2580 Godaakic.exe 2580 Godaakic.exe 2572 Gjifodii.exe 2572 Gjifodii.exe 2600 Ghlfjq32.exe 2600 Ghlfjq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ijaaae32.exe Iknafhjb.exe File created C:\Windows\SysWOW64\Bdkhjgeh.exe Bqolji32.exe File created C:\Windows\SysWOW64\Kbpbmkan.exe Kpafapbk.exe File created C:\Windows\SysWOW64\Kkijcgjo.dll Mfgnnhkc.exe File opened for modification C:\Windows\SysWOW64\Kmcjedcg.exe Kigndekn.exe File created C:\Windows\SysWOW64\Qdlojdbk.dll Lanbdf32.exe File created C:\Windows\SysWOW64\Elkofg32.exe Ebckmaec.exe File created C:\Windows\SysWOW64\Ldeiojhn.dll Iaimipjl.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Lffkcfke.dll Omckoi32.exe File created C:\Windows\SysWOW64\Piliii32.exe Pjihmmbk.exe File created C:\Windows\SysWOW64\Lnhjhg32.dll Boemlbpk.exe File opened for modification C:\Windows\SysWOW64\Gkmbmh32.exe Ghofam32.exe File opened for modification C:\Windows\SysWOW64\Adfbpega.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Feggob32.exe Fchkbg32.exe File created C:\Windows\SysWOW64\Looghene.dll Jijokbfp.exe File created C:\Windows\SysWOW64\Ahfalc32.dll Qkielpdf.exe File opened for modification C:\Windows\SysWOW64\Joidhh32.exe Jlkglm32.exe File opened for modification C:\Windows\SysWOW64\Mneohj32.exe Mobomnoq.exe File created C:\Windows\SysWOW64\Ikeebbaa.dll Gncnmane.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hcepqh32.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cceogcfj.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hjohmbpd.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jabponba.exe File created C:\Windows\SysWOW64\Bjkeingq.dll Jfieigio.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qaapcj32.exe File created C:\Windows\SysWOW64\Dncibp32.exe Dppigchi.exe File created C:\Windows\SysWOW64\Ebepdj32.dll Elkofg32.exe File created C:\Windows\SysWOW64\Ejcmmp32.exe Eblelb32.exe File created C:\Windows\SysWOW64\Jigbebhb.exe Jfieigio.exe File opened for modification C:\Windows\SysWOW64\Cgidfcdk.exe Bdkhjgeh.exe File created C:\Windows\SysWOW64\Gacdld32.dll Fcqjfeja.exe File created C:\Windows\SysWOW64\Bodilc32.dll Kkjpggkn.exe File created C:\Windows\SysWOW64\Gnnlocgk.exe Gkoobhhg.exe File created C:\Windows\SysWOW64\Kjigmkld.dll Akpkmo32.exe File created C:\Windows\SysWOW64\Bolcma32.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Eojlbb32.exe Elkofg32.exe File opened for modification C:\Windows\SysWOW64\Jplfkjbd.exe Jhenjmbb.exe File created C:\Windows\SysWOW64\Klkpdn32.dll Mkfclo32.exe File created C:\Windows\SysWOW64\Gpjkeoha.exe Goiongbc.exe File created C:\Windows\SysWOW64\Elnfdpam.dll Cqfbjhgf.exe File opened for modification C:\Windows\SysWOW64\Dppigchi.exe Dkdmfe32.exe File created C:\Windows\SysWOW64\Ekliqn32.dll Glpepj32.exe File created C:\Windows\SysWOW64\Pgejcl32.dll Hjohmbpd.exe File created C:\Windows\SysWOW64\Cfanmogq.exe Ccbbachm.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File created C:\Windows\SysWOW64\Kqmidcdi.dll Kljdkpfl.exe File created C:\Windows\SysWOW64\Gljmpigg.dll Mdmkoepk.exe File created C:\Windows\SysWOW64\Bqolji32.exe Bnapnm32.exe File opened for modification C:\Windows\SysWOW64\Dihmpinj.exe Demaoj32.exe File created C:\Windows\SysWOW64\Qofpqofd.dll Aphjjf32.exe File opened for modification C:\Windows\SysWOW64\Bhonjg32.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Giaidnkf.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Gjpehnpj.dll Fapeic32.exe File created C:\Windows\SysWOW64\Ellqil32.dll Dhpgfeao.exe File created C:\Windows\SysWOW64\Japciodd.exe Jnagmc32.exe File created C:\Windows\SysWOW64\Lklfipaq.dll Joggci32.exe File created C:\Windows\SysWOW64\Aeqbijmn.dll Nflchkii.exe File opened for modification C:\Windows\SysWOW64\Jhdegn32.exe Jpmmfp32.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jijokbfp.exe File created C:\Windows\SysWOW64\Keqkofno.exe Kgnkci32.exe File created C:\Windows\SysWOW64\Hbiooq32.dll Laqojfli.exe File opened for modification C:\Windows\SysWOW64\Lkicbk32.exe Lcblan32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5860 5760 WerFault.exe 561 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaapcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceogcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icafgmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkfal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfaeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keioca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggggoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgghac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahanie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdffoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picojhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoobhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbggif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjifodii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmidgbj.dll" Fgfdie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbafomj.dll" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhonjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahknna32.dll" Jhdegn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkihbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqokpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elkofg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmhahkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfkmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdmngfm.dll" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoenh32.dll" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacihmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneegl32.dll" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbceme32.dll" Gpggei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmidcdi.dll" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacajg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifaid32.dll" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Ckbpqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaikhj.dll" Fdpgph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdffoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apmcefmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elibpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omckoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnhngjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokhie32.dll" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imldmnjj.dll" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpkcb32.dll" Hqgddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" Bacihmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddgloho.dll" Mnglnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2688 1904 61b2f1853716dc27d5f1bf45b81978a0N.exe 31 PID 1904 wrote to memory of 2688 1904 61b2f1853716dc27d5f1bf45b81978a0N.exe 31 PID 1904 wrote to memory of 2688 1904 61b2f1853716dc27d5f1bf45b81978a0N.exe 31 PID 1904 wrote to memory of 2688 1904 61b2f1853716dc27d5f1bf45b81978a0N.exe 31 PID 2688 wrote to memory of 2772 2688 Eipgjaoi.exe 32 PID 2688 wrote to memory of 2772 2688 Eipgjaoi.exe 32 PID 2688 wrote to memory of 2772 2688 Eipgjaoi.exe 32 PID 2688 wrote to memory of 2772 2688 Eipgjaoi.exe 32 PID 2772 wrote to memory of 2592 2772 Fpjofl32.exe 33 PID 2772 wrote to memory of 2592 2772 Fpjofl32.exe 33 PID 2772 wrote to memory of 2592 2772 Fpjofl32.exe 33 PID 2772 wrote to memory of 2592 2772 Fpjofl32.exe 33 PID 2592 wrote to memory of 2672 2592 Fchkbg32.exe 34 PID 2592 wrote to memory of 2672 2592 Fchkbg32.exe 34 PID 2592 wrote to memory of 2672 2592 Fchkbg32.exe 34 PID 2592 wrote to memory of 2672 2592 Fchkbg32.exe 34 PID 2672 wrote to memory of 2680 2672 Feggob32.exe 35 PID 2672 wrote to memory of 2680 2672 Feggob32.exe 35 PID 2672 wrote to memory of 2680 2672 Feggob32.exe 35 PID 2672 wrote to memory of 2680 2672 Feggob32.exe 35 PID 2680 wrote to memory of 1884 2680 Fibcoalf.exe 36 PID 2680 wrote to memory of 1884 2680 Fibcoalf.exe 36 PID 2680 wrote to memory of 1884 2680 Fibcoalf.exe 36 PID 2680 wrote to memory of 1884 2680 Fibcoalf.exe 36 PID 1884 wrote to memory of 2912 1884 Foolgh32.exe 37 PID 1884 wrote to memory of 2912 1884 Foolgh32.exe 37 PID 1884 wrote to memory of 2912 1884 Foolgh32.exe 37 PID 1884 wrote to memory of 2912 1884 Foolgh32.exe 37 PID 2912 wrote to memory of 2356 2912 Fgfdie32.exe 38 PID 2912 wrote to memory of 2356 2912 Fgfdie32.exe 38 PID 2912 wrote to memory of 2356 2912 Fgfdie32.exe 38 PID 2912 wrote to memory of 2356 2912 Fgfdie32.exe 38 PID 2356 wrote to memory of 1716 2356 Fpohakbp.exe 39 PID 2356 wrote to memory of 1716 2356 Fpohakbp.exe 39 PID 2356 wrote to memory of 1716 2356 Fpohakbp.exe 39 PID 2356 wrote to memory of 1716 2356 Fpohakbp.exe 39 PID 1716 wrote to memory of 264 1716 Fapeic32.exe 40 PID 1716 wrote to memory of 264 1716 Fapeic32.exe 40 PID 1716 wrote to memory of 264 1716 Fapeic32.exe 40 PID 1716 wrote to memory of 264 1716 Fapeic32.exe 40 PID 264 wrote to memory of 2736 264 Felajbpg.exe 41 PID 264 wrote to memory of 2736 264 Felajbpg.exe 41 PID 264 wrote to memory of 2736 264 Felajbpg.exe 41 PID 264 wrote to memory of 2736 264 Felajbpg.exe 41 PID 2736 wrote to memory of 1840 2736 Fhjmfnok.exe 42 PID 2736 wrote to memory of 1840 2736 Fhjmfnok.exe 42 PID 2736 wrote to memory of 1840 2736 Fhjmfnok.exe 42 PID 2736 wrote to memory of 1840 2736 Fhjmfnok.exe 42 PID 1840 wrote to memory of 2968 1840 Fkhibino.exe 43 PID 1840 wrote to memory of 2968 1840 Fkhibino.exe 43 PID 1840 wrote to memory of 2968 1840 Fkhibino.exe 43 PID 1840 wrote to memory of 2968 1840 Fkhibino.exe 43 PID 2968 wrote to memory of 2440 2968 Fcpacf32.exe 44 PID 2968 wrote to memory of 2440 2968 Fcpacf32.exe 44 PID 2968 wrote to memory of 2440 2968 Fcpacf32.exe 44 PID 2968 wrote to memory of 2440 2968 Fcpacf32.exe 44 PID 2440 wrote to memory of 2408 2440 Fdqnkoep.exe 45 PID 2440 wrote to memory of 2408 2440 Fdqnkoep.exe 45 PID 2440 wrote to memory of 2408 2440 Fdqnkoep.exe 45 PID 2440 wrote to memory of 2408 2440 Fdqnkoep.exe 45 PID 2408 wrote to memory of 1640 2408 Flhflleb.exe 46 PID 2408 wrote to memory of 1640 2408 Flhflleb.exe 46 PID 2408 wrote to memory of 1640 2408 Flhflleb.exe 46 PID 2408 wrote to memory of 1640 2408 Flhflleb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\61b2f1853716dc27d5f1bf45b81978a0N.exe"C:\Users\Admin\AppData\Local\Temp\61b2f1853716dc27d5f1bf45b81978a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe33⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe34⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe35⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe37⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe40⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe44⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe45⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe49⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe51⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe53⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe54⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe55⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe57⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe60⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe61⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe62⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe63⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe64⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe68⤵PID:660
-
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe69⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe70⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe71⤵PID:2744
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe72⤵PID:2148
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe73⤵PID:2608
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe74⤵PID:1724
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe75⤵PID:1428
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe76⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe77⤵PID:1848
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe78⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe79⤵PID:1896
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe82⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe83⤵PID:2420
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe84⤵PID:1844
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe86⤵PID:2876
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe87⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe88⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe89⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe90⤵PID:1060
-
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe92⤵PID:2536
-
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe94⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe95⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe96⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe97⤵PID:1964
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe98⤵PID:2444
-
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe99⤵PID:2756
-
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe100⤵PID:2796
-
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe101⤵PID:2576
-
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe102⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe104⤵PID:1772
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe107⤵PID:1260
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe108⤵PID:1708
-
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe110⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe111⤵PID:1856
-
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe113⤵PID:2552
-
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe114⤵PID:2884
-
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe115⤵PID:2924
-
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe116⤵PID:2156
-
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe117⤵PID:2052
-
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe118⤵PID:1100
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe119⤵PID:2164
-
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe120⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe121⤵PID:272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-