Analysis
-
max time kernel
116s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 14:40
Behavioral task
behavioral1
Sample
bd5fdb2ca98d2d0aa2c515303e539360N.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
bd5fdb2ca98d2d0aa2c515303e539360N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
bd5fdb2ca98d2d0aa2c515303e539360N.exe
-
Size
337KB
-
MD5
bd5fdb2ca98d2d0aa2c515303e539360
-
SHA1
af6754c49ab46fa8a2b882d74d957f63c21079f5
-
SHA256
7d5316d01dfb4863c534812b7161084e5a9b52fa6d0426b7536ce85f34860845
-
SHA512
d95a283fa51b0ecb406cf2fd59f7e67c90691a47dde3936424fa35f09e8dcc22e8fe62b8aae91dee0292992a6d29cf8a8de757dab2909426ef9f9e1039695423
-
SSDEEP
3072:lyrombgtggYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:womb2g1+fIyG5jZkCwi8r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqknqleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflpdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oindpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkpchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hilghaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjnaehgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modano32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aimckl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbabodk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giakoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckboba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beccgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmbmkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffokan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onggom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgqlkdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekqqea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjfgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojoalda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiaiooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhdmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cekihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoefea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcmkamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofkoijhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qloiqcbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonqca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejnpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamncagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liohhbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekihh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heoadcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inopce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceganoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jccjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnqeeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qegnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahomlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodkkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffahgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcehpbdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqaed32.exe -
Executes dropped EXE 64 IoCs
pid Process 1848 Dcaghm32.exe 596 Emilqb32.exe 2184 Eiplecnc.exe 2724 Edfqclni.exe 2804 Fkmhij32.exe 2528 Fmnakege.exe 2576 Fangfcki.exe 944 Gebiefle.exe 2848 Gokmnlcf.exe 1652 Hkdkhl32.exe 1460 Hgmhcm32.exe 1072 Hjnaehgj.exe 1508 Hqjfgb32.exe 1692 Ieohfemq.exe 2304 Iodlcnmf.exe 2208 Jkpfcnoe.exe 1960 Jehklc32.exe 2180 Jgidnobg.exe 2424 Jijqeg32.exe 2128 Jilmkffb.exe 812 Jpfehq32.exe 972 Kmjfae32.exe 2016 Khdgabih.exe 2260 Kalkjh32.exe 2456 Kanhph32.exe 1956 Kldlmqml.exe 3060 Kelqff32.exe 2656 Kacakgip.exe 2896 Lphnlcnh.exe 2912 Modano32.exe 2564 Mkkbcpbl.exe 2700 Mknohpqj.exe 2536 Mpjgag32.exe 1616 Mjcljlea.exe 1884 Mckpba32.exe 1836 Ncnmhajo.exe 1480 Nncaejie.exe 1808 Ngkfnp32.exe 1272 Nfqbol32.exe 568 Nkmkgc32.exe 1464 Nfcoel32.exe 2228 Nbjpjm32.exe 1700 Nonqca32.exe 2932 Oifelfni.exe 1736 Oncndnlq.exe 1296 Oemfahcn.exe 2348 Oeobfgak.exe 2056 Onggom32.exe 1704 Opicgenj.exe 3068 Ommdqi32.exe 2500 Pjqdjn32.exe 2120 Plbaafak.exe 2212 Pfgeoo32.exe 2684 Pfjbdn32.exe 2544 Pihnqj32.exe 2992 Pacbel32.exe 2808 Pligbekc.exe 2856 Pafpjljk.exe 2864 Plkchdiq.exe 1624 Qahlpkhh.exe 2592 Qdfhlggl.exe 2492 Qolmip32.exe 1688 Amaiklki.exe 1056 Adkbgf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2476 bd5fdb2ca98d2d0aa2c515303e539360N.exe 2476 bd5fdb2ca98d2d0aa2c515303e539360N.exe 1848 Dcaghm32.exe 1848 Dcaghm32.exe 596 Emilqb32.exe 596 Emilqb32.exe 2184 Eiplecnc.exe 2184 Eiplecnc.exe 2724 Edfqclni.exe 2724 Edfqclni.exe 2804 Fkmhij32.exe 2804 Fkmhij32.exe 2528 Fmnakege.exe 2528 Fmnakege.exe 2576 Fangfcki.exe 2576 Fangfcki.exe 944 Gebiefle.exe 944 Gebiefle.exe 2848 Gokmnlcf.exe 2848 Gokmnlcf.exe 1652 Hkdkhl32.exe 1652 Hkdkhl32.exe 1460 Hgmhcm32.exe 1460 Hgmhcm32.exe 1072 Hjnaehgj.exe 1072 Hjnaehgj.exe 1508 Hqjfgb32.exe 1508 Hqjfgb32.exe 1692 Ieohfemq.exe 1692 Ieohfemq.exe 2304 Iodlcnmf.exe 2304 Iodlcnmf.exe 2208 Jkpfcnoe.exe 2208 Jkpfcnoe.exe 1960 Jehklc32.exe 1960 Jehklc32.exe 2180 Jgidnobg.exe 2180 Jgidnobg.exe 2424 Jijqeg32.exe 2424 Jijqeg32.exe 2128 Jilmkffb.exe 2128 Jilmkffb.exe 812 Jpfehq32.exe 812 Jpfehq32.exe 972 Kmjfae32.exe 972 Kmjfae32.exe 2016 Khdgabih.exe 2016 Khdgabih.exe 2260 Kalkjh32.exe 2260 Kalkjh32.exe 2456 Kanhph32.exe 2456 Kanhph32.exe 1956 Kldlmqml.exe 1956 Kldlmqml.exe 3060 Kelqff32.exe 3060 Kelqff32.exe 2656 Kacakgip.exe 2656 Kacakgip.exe 2896 Lphnlcnh.exe 2896 Lphnlcnh.exe 2912 Modano32.exe 2912 Modano32.exe 2564 Mkkbcpbl.exe 2564 Mkkbcpbl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hgmhcm32.exe Hkdkhl32.exe File created C:\Windows\SysWOW64\Jpfehq32.exe Jilmkffb.exe File opened for modification C:\Windows\SysWOW64\Khdgabih.exe Kmjfae32.exe File created C:\Windows\SysWOW64\Iiogbn32.dll Flbgak32.exe File created C:\Windows\SysWOW64\Fooleekf.dll Ifajif32.exe File created C:\Windows\SysWOW64\Pfgfna32.dll Nelkme32.exe File created C:\Windows\SysWOW64\Mkkbcpbl.exe Modano32.exe File created C:\Windows\SysWOW64\Jbkagpjl.dll Nncaejie.exe File created C:\Windows\SysWOW64\Nlnqeeeh.exe Nkmdmm32.exe File created C:\Windows\SysWOW64\Pafacd32.exe Pbohmh32.exe File created C:\Windows\SysWOW64\Kmjfae32.exe Jpfehq32.exe File created C:\Windows\SysWOW64\Dfmbmkgm.exe Dldndf32.exe File created C:\Windows\SysWOW64\Ahomlb32.exe Ajkmbo32.exe File created C:\Windows\SysWOW64\Gqhkqk32.dll Hilghaqq.exe File created C:\Windows\SysWOW64\Mknohpqj.exe Mkkbcpbl.exe File created C:\Windows\SysWOW64\Lkcehkeh.exe Legmpdga.exe File opened for modification C:\Windows\SysWOW64\Bnkbcmaj.exe Bcbabodk.exe File opened for modification C:\Windows\SysWOW64\Edieng32.exe Ekqqea32.exe File created C:\Windows\SysWOW64\Jcbkhjjg.dll Cekihh32.exe File created C:\Windows\SysWOW64\Ngkfnp32.exe Nncaejie.exe File opened for modification C:\Windows\SysWOW64\Opicgenj.exe Onggom32.exe File opened for modification C:\Windows\SysWOW64\Pbfehn32.exe Pinqoh32.exe File created C:\Windows\SysWOW64\Ccmcfc32.exe Ckboba32.exe File opened for modification C:\Windows\SysWOW64\Emogdk32.exe Eqhfoj32.exe File created C:\Windows\SysWOW64\Lbgmah32.exe Liohhbno.exe File opened for modification C:\Windows\SysWOW64\Licbca32.exe Lbgmah32.exe File created C:\Windows\SysWOW64\Lglpbp32.dll Plbaafak.exe File created C:\Windows\SysWOW64\Alpppoaj.dll Abmkhmfe.exe File created C:\Windows\SysWOW64\Cgcoal32.exe Beccgi32.exe File opened for modification C:\Windows\SysWOW64\Kacakgip.exe Kelqff32.exe File created C:\Windows\SysWOW64\Kkooeblb.dll Qdfhlggl.exe File created C:\Windows\SysWOW64\Fpgmak32.exe Ffoihepa.exe File opened for modification C:\Windows\SysWOW64\Kbmahjbk.exe Kmphpc32.exe File opened for modification C:\Windows\SysWOW64\Oemfahcn.exe Oncndnlq.exe File created C:\Windows\SysWOW64\Cnifhcei.dll Dknehe32.exe File opened for modification C:\Windows\SysWOW64\Kmphpc32.exe Kplhfo32.exe File created C:\Windows\SysWOW64\Fdhlphff.exe Fjpggb32.exe File opened for modification C:\Windows\SysWOW64\Kalkjh32.exe Khdgabih.exe File opened for modification C:\Windows\SysWOW64\Fncddc32.exe Emieflec.exe File created C:\Windows\SysWOW64\Jjjfbikh.exe Jabajc32.exe File opened for modification C:\Windows\SysWOW64\Dfmbmkgm.exe Dldndf32.exe File created C:\Windows\SysWOW64\Nljikmpj.dll Jijqeg32.exe File opened for modification C:\Windows\SysWOW64\Kanhph32.exe Kalkjh32.exe File opened for modification C:\Windows\SysWOW64\Aibfik32.exe Apjbpemb.exe File opened for modification C:\Windows\SysWOW64\Fdhlphff.exe Fjpggb32.exe File created C:\Windows\SysWOW64\Mgmccnme.dll Iobbfggm.exe File created C:\Windows\SysWOW64\Licbca32.exe Lbgmah32.exe File created C:\Windows\SysWOW64\Fjchig32.dll Befcne32.exe File created C:\Windows\SysWOW64\Dmfhqmge.exe Dflpdb32.exe File created C:\Windows\SysWOW64\Lmhhcaik.exe Kgkokjjd.exe File created C:\Windows\SysWOW64\Qnjbmh32.exe Pafacd32.exe File opened for modification C:\Windows\SysWOW64\Mkkbcpbl.exe Modano32.exe File created C:\Windows\SysWOW64\Jjjlglao.dll Nkmkgc32.exe File opened for modification C:\Windows\SysWOW64\Oeobfgak.exe Oemfahcn.exe File opened for modification C:\Windows\SysWOW64\Gdbeqmag.exe Glgqlkdl.exe File opened for modification C:\Windows\SysWOW64\Hhbgkn32.exe Hnmcne32.exe File created C:\Windows\SysWOW64\Mmabiedh.dll Ofkoijhc.exe File opened for modification C:\Windows\SysWOW64\Mlfgkleh.exe Lobgah32.exe File created C:\Windows\SysWOW64\Fmicnhob.exe Ffokan32.exe File opened for modification C:\Windows\SysWOW64\Ffoihepa.exe Fncddc32.exe File opened for modification C:\Windows\SysWOW64\Hmcimq32.exe Galhhp32.exe File created C:\Windows\SysWOW64\Hnibonjd.dll Jjgbbc32.exe File opened for modification C:\Windows\SysWOW64\Kjeblf32.exe Kamncagl.exe File opened for modification C:\Windows\SysWOW64\Ngkfnp32.exe Nncaejie.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4660 4636 WerFault.exe 379 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcehpbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphnlcnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkkbcpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddmkkpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmahjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kleeqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmajkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amalcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emogdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmicnhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fangfcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebiefle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbabodk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcdegqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhhcaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boadlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcedbefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhclfphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giakoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkoijhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkklpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijqeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkbgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbcjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbokkagk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbokoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckboba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbekmpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpnakfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfeodoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbpfhpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqqea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplhfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmqpinlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjfbikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqhfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjacai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpfcnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdknfiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglghdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffoihepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpjfoji.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdocad32.dll" Fflehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdfhlggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jffddfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkkbcpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfbna32.dll" Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liibigjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbabodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edghighp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qahlpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnifhcei.dll" Dknehe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgjifff.dll" Jffddfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkmhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnahndn.dll" Cgdflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbeiij32.dll" Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafpjljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjcncak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdhlphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcedjdom.dll" Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll" Mpcjfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fngjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgdcapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaopcqk.dll" Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmpehpj.dll" Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkkpnfp.dll" Igjabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdknm32.dll" Cbokoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noiiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaojgf32.dll" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflhik32.dll" Hmcimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icqieocn.dll" Jehklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inopce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imockbgm.dll" Mkkbcpbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeobfgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmnpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blelpeoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijdcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaiklki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogpmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnfbp32.dll" Ahomlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjeblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgihphj.dll" Kjeblf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcaghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mknohpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbabodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cekihh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfoljh32.dll" Aogpmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooleekf.dll" Ifajif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhhcaik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjbdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagcnmie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihjpman.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1848 2476 bd5fdb2ca98d2d0aa2c515303e539360N.exe 28 PID 2476 wrote to memory of 1848 2476 bd5fdb2ca98d2d0aa2c515303e539360N.exe 28 PID 2476 wrote to memory of 1848 2476 bd5fdb2ca98d2d0aa2c515303e539360N.exe 28 PID 2476 wrote to memory of 1848 2476 bd5fdb2ca98d2d0aa2c515303e539360N.exe 28 PID 1848 wrote to memory of 596 1848 Dcaghm32.exe 29 PID 1848 wrote to memory of 596 1848 Dcaghm32.exe 29 PID 1848 wrote to memory of 596 1848 Dcaghm32.exe 29 PID 1848 wrote to memory of 596 1848 Dcaghm32.exe 29 PID 596 wrote to memory of 2184 596 Emilqb32.exe 30 PID 596 wrote to memory of 2184 596 Emilqb32.exe 30 PID 596 wrote to memory of 2184 596 Emilqb32.exe 30 PID 596 wrote to memory of 2184 596 Emilqb32.exe 30 PID 2184 wrote to memory of 2724 2184 Eiplecnc.exe 31 PID 2184 wrote to memory of 2724 2184 Eiplecnc.exe 31 PID 2184 wrote to memory of 2724 2184 Eiplecnc.exe 31 PID 2184 wrote to memory of 2724 2184 Eiplecnc.exe 31 PID 2724 wrote to memory of 2804 2724 Edfqclni.exe 32 PID 2724 wrote to memory of 2804 2724 Edfqclni.exe 32 PID 2724 wrote to memory of 2804 2724 Edfqclni.exe 32 PID 2724 wrote to memory of 2804 2724 Edfqclni.exe 32 PID 2804 wrote to memory of 2528 2804 Fkmhij32.exe 33 PID 2804 wrote to memory of 2528 2804 Fkmhij32.exe 33 PID 2804 wrote to memory of 2528 2804 Fkmhij32.exe 33 PID 2804 wrote to memory of 2528 2804 Fkmhij32.exe 33 PID 2528 wrote to memory of 2576 2528 Fmnakege.exe 34 PID 2528 wrote to memory of 2576 2528 Fmnakege.exe 34 PID 2528 wrote to memory of 2576 2528 Fmnakege.exe 34 PID 2528 wrote to memory of 2576 2528 Fmnakege.exe 34 PID 2576 wrote to memory of 944 2576 Fangfcki.exe 35 PID 2576 wrote to memory of 944 2576 Fangfcki.exe 35 PID 2576 wrote to memory of 944 2576 Fangfcki.exe 35 PID 2576 wrote to memory of 944 2576 Fangfcki.exe 35 PID 944 wrote to memory of 2848 944 Gebiefle.exe 36 PID 944 wrote to memory of 2848 944 Gebiefle.exe 36 PID 944 wrote to memory of 2848 944 Gebiefle.exe 36 PID 944 wrote to memory of 2848 944 Gebiefle.exe 36 PID 2848 wrote to memory of 1652 2848 Gokmnlcf.exe 37 PID 2848 wrote to memory of 1652 2848 Gokmnlcf.exe 37 PID 2848 wrote to memory of 1652 2848 Gokmnlcf.exe 37 PID 2848 wrote to memory of 1652 2848 Gokmnlcf.exe 37 PID 1652 wrote to memory of 1460 1652 Hkdkhl32.exe 38 PID 1652 wrote to memory of 1460 1652 Hkdkhl32.exe 38 PID 1652 wrote to memory of 1460 1652 Hkdkhl32.exe 38 PID 1652 wrote to memory of 1460 1652 Hkdkhl32.exe 38 PID 1460 wrote to memory of 1072 1460 Hgmhcm32.exe 39 PID 1460 wrote to memory of 1072 1460 Hgmhcm32.exe 39 PID 1460 wrote to memory of 1072 1460 Hgmhcm32.exe 39 PID 1460 wrote to memory of 1072 1460 Hgmhcm32.exe 39 PID 1072 wrote to memory of 1508 1072 Hjnaehgj.exe 40 PID 1072 wrote to memory of 1508 1072 Hjnaehgj.exe 40 PID 1072 wrote to memory of 1508 1072 Hjnaehgj.exe 40 PID 1072 wrote to memory of 1508 1072 Hjnaehgj.exe 40 PID 1508 wrote to memory of 1692 1508 Hqjfgb32.exe 41 PID 1508 wrote to memory of 1692 1508 Hqjfgb32.exe 41 PID 1508 wrote to memory of 1692 1508 Hqjfgb32.exe 41 PID 1508 wrote to memory of 1692 1508 Hqjfgb32.exe 41 PID 1692 wrote to memory of 2304 1692 Ieohfemq.exe 42 PID 1692 wrote to memory of 2304 1692 Ieohfemq.exe 42 PID 1692 wrote to memory of 2304 1692 Ieohfemq.exe 42 PID 1692 wrote to memory of 2304 1692 Ieohfemq.exe 42 PID 2304 wrote to memory of 2208 2304 Iodlcnmf.exe 43 PID 2304 wrote to memory of 2208 2304 Iodlcnmf.exe 43 PID 2304 wrote to memory of 2208 2304 Iodlcnmf.exe 43 PID 2304 wrote to memory of 2208 2304 Iodlcnmf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd5fdb2ca98d2d0aa2c515303e539360N.exe"C:\Users\Admin\AppData\Local\Temp\bd5fdb2ca98d2d0aa2c515303e539360N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Hqjfgb32.exeC:\Windows\system32\Hqjfgb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Khdgabih.exeC:\Windows\system32\Khdgabih.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe34⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe35⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe36⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe40⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe42⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe45⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Opicgenj.exeC:\Windows\system32\Opicgenj.exe50⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe51⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe52⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe54⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe56⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Pacbel32.exeC:\Windows\system32\Pacbel32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Pligbekc.exeC:\Windows\system32\Pligbekc.exe58⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe60⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Qahlpkhh.exeC:\Windows\system32\Qahlpkhh.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe63⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe66⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1404 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe68⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Aimckl32.exeC:\Windows\system32\Aimckl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe70⤵PID:1608
-
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe71⤵PID:1596
-
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe72⤵PID:2752
-
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe73⤵PID:2652
-
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe74⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe76⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Blklfk32.exeC:\Windows\system32\Blklfk32.exe79⤵PID:1148
-
C:\Windows\SysWOW64\Bcedbefd.exeC:\Windows\system32\Bcedbefd.exe80⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe81⤵PID:2936
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe82⤵PID:2404
-
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe83⤵PID:2096
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe84⤵PID:1544
-
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe85⤵PID:1376
-
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe87⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe88⤵PID:3032
-
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe89⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe90⤵PID:2704
-
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe91⤵PID:2568
-
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe92⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe95⤵PID:432
-
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe96⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe99⤵PID:964
-
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe100⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe101⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Fpgmak32.exeC:\Windows\system32\Fpgmak32.exe103⤵PID:2360
-
C:\Windows\SysWOW64\Flpkll32.exeC:\Windows\system32\Flpkll32.exe104⤵PID:2668
-
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe105⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe106⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe107⤵PID:1396
-
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe108⤵PID:1328
-
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe110⤵PID:2104
-
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe111⤵PID:2392
-
C:\Windows\SysWOW64\Gpiffngk.exeC:\Windows\system32\Gpiffngk.exe112⤵PID:2344
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe114⤵PID:2604
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe115⤵PID:2388
-
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe116⤵PID:2768
-
C:\Windows\SysWOW64\Hpplfm32.exeC:\Windows\system32\Hpplfm32.exe117⤵PID:2596
-
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe118⤵PID:1992
-
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe120⤵PID:2060
-
C:\Windows\SysWOW64\Hhpjfoji.exeC:\Windows\system32\Hhpjfoji.exe121⤵
- System Location Discovery: System Language Discovery
PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-