Analysis
-
max time kernel
146s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/08/2024, 20:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe
-
Size
896KB
-
MD5
93f465d96d373fd4b54235d095028f6e
-
SHA1
aa6a7d8fb07406cfb36b4d4b75727378e5e95b54
-
SHA256
54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e
-
SHA512
ccb2a30a94c717436c70656ddf1c43965bf638dd329abf060a8c024670cdc33a0db697d6c80aaf408dd98d82e0c7503dbfaba31ff01ca0cce1b90ee42bf64ca7
-
SSDEEP
12288:Ht1qWX+PdByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:H+uvr4B9f01ZmQvrUENOVvr1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkqjlpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkcjchco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfafci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffhoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amjmpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmginaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkepfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aacknfhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmjln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaaajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dadkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmginaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjfjhje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeoka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qechbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpdbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgogbano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apchim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjhhacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhlkmnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bngicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdinea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkmnpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpiaqqlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeklpeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddjmaebi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofafhck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakchj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfgjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khojqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Immcnikq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikfbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebojbaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpodoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahfcjfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbcdhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhoeqide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdihedp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dffmgqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegidknj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjmnck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmneokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aalcdngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccfjpkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdockgqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaifoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhklfbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dolondiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfmacce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labamcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgckgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpkplih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbacqdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbicmfqe.exe -
Executes dropped EXE 64 IoCs
pid Process 2512 Lkkcmqcn.exe 1460 Lnipilbb.exe 2136 Ldchff32.exe 2744 Mfngdmgb.exe 2972 Mcddca32.exe 2712 Megmpi32.exe 2076 Nldbbbno.exe 2956 Naqkki32.exe 304 Njiocobg.exe 1684 Ndfmgdeb.exe 1140 Ofdicodf.exe 2852 Omnapi32.exe 1060 Opmnle32.exe 1420 Oejfelin.exe 2132 Pajjpk32.exe 2896 Pdhflg32.exe 1612 Pkboiamh.exe 1624 Palgek32.exe 2272 Ppogahko.exe 1484 Pigkjmap.exe 580 Ppacfg32.exe 2172 Pdmpgfae.exe 1640 Pgklcaqi.exe 836 Qhoeqide.exe 2232 Qpfmageg.exe 2160 Qcdinbdk.exe 2464 Qecejnco.exe 2816 Qaifoo32.exe 2676 Adhbkj32.exe 2580 Alojlgii.exe 2820 Anpgdp32.exe 2716 Aalcdngp.exe 2364 Agikmeeg.exe 1052 Abnpjnem.exe 1596 Admlfida.exe 2788 Anepooja.exe 1620 Aqcmkjje.exe 1344 Adoili32.exe 2996 Ajladp32.exe 1404 Amjmpk32.exe 988 Adaeai32.exe 324 Bmacqj32.exe 2148 Boppmf32.exe 752 Bpdihedp.exe 2164 Bngicb32.exe 1012 Baeepm32.exe 1600 Beaaplbg.exe 2080 Cbebjpaa.exe 2292 Cahbem32.exe 2988 Cajokmfi.exe 2584 Ccikghel.exe 2608 Cgdggg32.exe 2576 Camlpldf.exe 1524 Cgfdmf32.exe 2756 Cjepib32.exe 2828 Cmclem32.exe 2444 Ccmdbg32.exe 2356 Cjgmoahd.exe 1700 Dfnncb32.exe 1712 Dlkfli32.exe 1800 Diofenki.exe 804 Dlmcaijm.exe 2892 Dolondiq.exe 1148 Dajkjphd.exe -
Loads dropped DLL 64 IoCs
pid Process 1036 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe 1036 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe 2512 Lkkcmqcn.exe 2512 Lkkcmqcn.exe 1460 Lnipilbb.exe 1460 Lnipilbb.exe 2136 Ldchff32.exe 2136 Ldchff32.exe 2744 Mfngdmgb.exe 2744 Mfngdmgb.exe 2972 Mcddca32.exe 2972 Mcddca32.exe 2712 Megmpi32.exe 2712 Megmpi32.exe 2076 Nldbbbno.exe 2076 Nldbbbno.exe 2956 Naqkki32.exe 2956 Naqkki32.exe 304 Njiocobg.exe 304 Njiocobg.exe 1684 Ndfmgdeb.exe 1684 Ndfmgdeb.exe 1140 Ofdicodf.exe 1140 Ofdicodf.exe 2852 Omnapi32.exe 2852 Omnapi32.exe 1060 Opmnle32.exe 1060 Opmnle32.exe 1420 Oejfelin.exe 1420 Oejfelin.exe 2132 Pajjpk32.exe 2132 Pajjpk32.exe 2896 Pdhflg32.exe 2896 Pdhflg32.exe 1612 Pkboiamh.exe 1612 Pkboiamh.exe 1624 Palgek32.exe 1624 Palgek32.exe 2272 Ppogahko.exe 2272 Ppogahko.exe 1484 Pigkjmap.exe 1484 Pigkjmap.exe 580 Ppacfg32.exe 580 Ppacfg32.exe 2172 Pdmpgfae.exe 2172 Pdmpgfae.exe 1640 Pgklcaqi.exe 1640 Pgklcaqi.exe 836 Qhoeqide.exe 836 Qhoeqide.exe 2232 Qpfmageg.exe 2232 Qpfmageg.exe 2160 Qcdinbdk.exe 2160 Qcdinbdk.exe 2464 Qecejnco.exe 2464 Qecejnco.exe 2816 Qaifoo32.exe 2816 Qaifoo32.exe 2676 Adhbkj32.exe 2676 Adhbkj32.exe 2580 Alojlgii.exe 2580 Alojlgii.exe 2820 Anpgdp32.exe 2820 Anpgdp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hgdagelg.exe Hdeekjmc.exe File created C:\Windows\SysWOW64\Fagonmbg.dll Kbikah32.exe File created C:\Windows\SysWOW64\Opdffmlb.exe Ohmneokp.exe File opened for modification C:\Windows\SysWOW64\Ggjhfpqf.exe Glddig32.exe File created C:\Windows\SysWOW64\Mbjjopna.dll Cjkiaffj.exe File opened for modification C:\Windows\SysWOW64\Oipdhm32.exe Oddhho32.exe File created C:\Windows\SysWOW64\Aplbin32.exe Aibjlcli.exe File opened for modification C:\Windows\SysWOW64\Ghmokomm.exe Gjhbic32.exe File created C:\Windows\SysWOW64\Hccjac32.dll Fcacfd32.exe File created C:\Windows\SysWOW64\Bphhobmd.exe Blmlnd32.exe File created C:\Windows\SysWOW64\Fojjfogp.exe Fknnfp32.exe File created C:\Windows\SysWOW64\Ijmahq32.dll Nhlkmnmj.exe File opened for modification C:\Windows\SysWOW64\Ncobeg32.exe Nclfpg32.exe File created C:\Windows\SysWOW64\Qganapgc.exe Qepbjh32.exe File created C:\Windows\SysWOW64\Odnnmhal.dll Ikaglgei.exe File opened for modification C:\Windows\SysWOW64\Dodhpa32.exe Dmfkcf32.exe File created C:\Windows\SysWOW64\Hjhqaobe.exe Hkepfb32.exe File created C:\Windows\SysWOW64\Pffopjqh.dll Keimhmmd.exe File opened for modification C:\Windows\SysWOW64\Chcbhbio.exe Cfdflfjk.exe File created C:\Windows\SysWOW64\Facjobce.exe Foencfda.exe File opened for modification C:\Windows\SysWOW64\Ilpaqmkg.exe Iiaddb32.exe File created C:\Windows\SysWOW64\Eeekejgj.dll Ajindjom.exe File opened for modification C:\Windows\SysWOW64\Kpenogee.exe Kmfbckfa.exe File created C:\Windows\SysWOW64\Nbkqdaac.dll Plnmcl32.exe File opened for modification C:\Windows\SysWOW64\Keadoe32.exe Koglbkdl.exe File created C:\Windows\SysWOW64\Komhfcgj.exe Kjaled32.exe File created C:\Windows\SysWOW64\Bllcke32.exe Bhpgkfab.exe File created C:\Windows\SysWOW64\Cemadn32.dll Jbdegeei.exe File created C:\Windows\SysWOW64\Pnejim32.dll Adkaib32.exe File created C:\Windows\SysWOW64\Lphngp32.dll Dggbeb32.exe File created C:\Windows\SysWOW64\Dacjmhkh.dll Foqgqppk.exe File created C:\Windows\SysWOW64\Kfojpcli.dll Anpgdp32.exe File created C:\Windows\SysWOW64\Ppjidkcm.exe Plnmcl32.exe File created C:\Windows\SysWOW64\Hbaohl32.dll Qfaqji32.exe File opened for modification C:\Windows\SysWOW64\Limogpna.exe Lgobkdom.exe File opened for modification C:\Windows\SysWOW64\Mfngdmgb.exe Ldchff32.exe File created C:\Windows\SysWOW64\Fljhojnk.exe Fikkcnog.exe File created C:\Windows\SysWOW64\Fommfd32.exe Fcfmacce.exe File opened for modification C:\Windows\SysWOW64\Iejkel32.exe Ianodncp.exe File opened for modification C:\Windows\SysWOW64\Bfeqgikk.exe Bcgdknlh.exe File created C:\Windows\SysWOW64\Adjkol32.exe Apoonnac.exe File created C:\Windows\SysWOW64\Eofhnp32.dll Cmclem32.exe File opened for modification C:\Windows\SysWOW64\Iidajaiq.exe Iehejc32.exe File created C:\Windows\SysWOW64\Nbcmnklf.exe Npeaapmb.exe File created C:\Windows\SysWOW64\Pbjpmmij.exe Poocmo32.exe File created C:\Windows\SysWOW64\Lhabemgi.exe Lkmbliip.exe File opened for modification C:\Windows\SysWOW64\Hdikch32.exe Hajogm32.exe File created C:\Windows\SysWOW64\Dogccico.dll Fqkdenfj.exe File created C:\Windows\SysWOW64\Dghmnfjd.dll Nedfofig.exe File created C:\Windows\SysWOW64\Gadlio32.exe Gniqhpgi.exe File created C:\Windows\SysWOW64\Inpchbdl.exe Ikaglgei.exe File created C:\Windows\SysWOW64\Iidepa32.dll Decmnhjd.exe File created C:\Windows\SysWOW64\Idhmib32.dll Goojldgf.exe File created C:\Windows\SysWOW64\Jhfgjk32.exe Jfdjbcim.exe File created C:\Windows\SysWOW64\Ggjhfpqf.exe Glddig32.exe File created C:\Windows\SysWOW64\Cbebjpaa.exe Beaaplbg.exe File created C:\Windows\SysWOW64\Lccdamop.exe Laahjdib.exe File created C:\Windows\SysWOW64\Bpojmn32.dll Lffjih32.exe File created C:\Windows\SysWOW64\Lbbpnfnf.dll Mhklfbcj.exe File opened for modification C:\Windows\SysWOW64\Lkkcmqcn.exe 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe File created C:\Windows\SysWOW64\Dephbjgj.dll Qcdinbdk.exe File created C:\Windows\SysWOW64\Fdojendk.exe Fcnmne32.exe File created C:\Windows\SysWOW64\Acjllqke.exe Akoghnnj.exe File created C:\Windows\SysWOW64\Ahkgeq32.exe Adokdbib.exe -
Program crash 1 IoCs
pid pid_target Process 6580 7612 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkphcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albijp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkqjlpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpdnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigkjmap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmemih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncafemqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepnck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncaokgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldeakgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfiqgfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggffocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jankcafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decmnhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadabljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khojqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moedbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqpejh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndhle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdojendk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjjll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdinbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnmne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfngdmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olchgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmhodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekenl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdjfmed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeibcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpplglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmpejph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lccdamop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchigcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfgjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgemal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdapoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnkgnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfmacce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eioemj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcbeagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icenedep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apoonnac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccmjkmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbifgln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holqbipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokgqjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okamjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcmnklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffmgqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokdbahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdaajl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deegjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdfocge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgklcaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpgdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkfng32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefdjmig.dll" Cqkace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqdeciho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iadabljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhengldk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhjmdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oieencik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djbkahcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkibbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Holqbipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpfikjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgneg32.dll" Nqamcbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnadjb32.dll" Cgppep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgimdj32.dll" Cojnol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baeepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obpflhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldeqn32.dll" Einljkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gndgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inbpnbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emmnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aalcdngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihnhfmjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnjnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncncdc32.dll" Pdpepejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmacmkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgojdlf.dll" Eehbgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbfllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcdinbdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajladp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kehjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmakdkle.dll" Pbjpmmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naqkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmgeedno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpahod32.dll" Gogipbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjohmc32.dll" Kkchkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggeoka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ionlpdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlmcaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqmmja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghlhpiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdeekjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmclem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nopqlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbblbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbkkgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmgpmmc.dll" Pmlmhodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chmpicbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpggdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoebn32.dll" Nkldoijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pibmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhdod32.dll" Lgqmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklqdfmc.dll" Oappof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kineom32.dll" Plnkkccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fikkcnog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moedbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejleamon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlaao32.dll" Ikbpof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfjicd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhklfbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oappof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehiojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliqbnep.dll" Bndfclia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bphhobmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2512 1036 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe 29 PID 1036 wrote to memory of 2512 1036 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe 29 PID 1036 wrote to memory of 2512 1036 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe 29 PID 1036 wrote to memory of 2512 1036 54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe 29 PID 2512 wrote to memory of 1460 2512 Lkkcmqcn.exe 747 PID 2512 wrote to memory of 1460 2512 Lkkcmqcn.exe 747 PID 2512 wrote to memory of 1460 2512 Lkkcmqcn.exe 747 PID 2512 wrote to memory of 1460 2512 Lkkcmqcn.exe 747 PID 1460 wrote to memory of 2136 1460 Lnipilbb.exe 31 PID 1460 wrote to memory of 2136 1460 Lnipilbb.exe 31 PID 1460 wrote to memory of 2136 1460 Lnipilbb.exe 31 PID 1460 wrote to memory of 2136 1460 Lnipilbb.exe 31 PID 2136 wrote to memory of 2744 2136 Ldchff32.exe 790 PID 2136 wrote to memory of 2744 2136 Ldchff32.exe 790 PID 2136 wrote to memory of 2744 2136 Ldchff32.exe 790 PID 2136 wrote to memory of 2744 2136 Ldchff32.exe 790 PID 2744 wrote to memory of 2972 2744 Mfngdmgb.exe 836 PID 2744 wrote to memory of 2972 2744 Mfngdmgb.exe 836 PID 2744 wrote to memory of 2972 2744 Mfngdmgb.exe 836 PID 2744 wrote to memory of 2972 2744 Mfngdmgb.exe 836 PID 2972 wrote to memory of 2712 2972 Mcddca32.exe 783 PID 2972 wrote to memory of 2712 2972 Mcddca32.exe 783 PID 2972 wrote to memory of 2712 2972 Mcddca32.exe 783 PID 2972 wrote to memory of 2712 2972 Mcddca32.exe 783 PID 2712 wrote to memory of 2076 2712 Megmpi32.exe 35 PID 2712 wrote to memory of 2076 2712 Megmpi32.exe 35 PID 2712 wrote to memory of 2076 2712 Megmpi32.exe 35 PID 2712 wrote to memory of 2076 2712 Megmpi32.exe 35 PID 2076 wrote to memory of 2956 2076 Nldbbbno.exe 36 PID 2076 wrote to memory of 2956 2076 Nldbbbno.exe 36 PID 2076 wrote to memory of 2956 2076 Nldbbbno.exe 36 PID 2076 wrote to memory of 2956 2076 Nldbbbno.exe 36 PID 2956 wrote to memory of 304 2956 Naqkki32.exe 37 PID 2956 wrote to memory of 304 2956 Naqkki32.exe 37 PID 2956 wrote to memory of 304 2956 Naqkki32.exe 37 PID 2956 wrote to memory of 304 2956 Naqkki32.exe 37 PID 304 wrote to memory of 1684 304 Njiocobg.exe 38 PID 304 wrote to memory of 1684 304 Njiocobg.exe 38 PID 304 wrote to memory of 1684 304 Njiocobg.exe 38 PID 304 wrote to memory of 1684 304 Njiocobg.exe 38 PID 1684 wrote to memory of 1140 1684 Ndfmgdeb.exe 39 PID 1684 wrote to memory of 1140 1684 Ndfmgdeb.exe 39 PID 1684 wrote to memory of 1140 1684 Ndfmgdeb.exe 39 PID 1684 wrote to memory of 1140 1684 Ndfmgdeb.exe 39 PID 1140 wrote to memory of 2852 1140 Ofdicodf.exe 40 PID 1140 wrote to memory of 2852 1140 Ofdicodf.exe 40 PID 1140 wrote to memory of 2852 1140 Ofdicodf.exe 40 PID 1140 wrote to memory of 2852 1140 Ofdicodf.exe 40 PID 2852 wrote to memory of 1060 2852 Omnapi32.exe 41 PID 2852 wrote to memory of 1060 2852 Omnapi32.exe 41 PID 2852 wrote to memory of 1060 2852 Omnapi32.exe 41 PID 2852 wrote to memory of 1060 2852 Omnapi32.exe 41 PID 1060 wrote to memory of 1420 1060 Opmnle32.exe 42 PID 1060 wrote to memory of 1420 1060 Opmnle32.exe 42 PID 1060 wrote to memory of 1420 1060 Opmnle32.exe 42 PID 1060 wrote to memory of 1420 1060 Opmnle32.exe 42 PID 1420 wrote to memory of 2132 1420 Oejfelin.exe 43 PID 1420 wrote to memory of 2132 1420 Oejfelin.exe 43 PID 1420 wrote to memory of 2132 1420 Oejfelin.exe 43 PID 1420 wrote to memory of 2132 1420 Oejfelin.exe 43 PID 2132 wrote to memory of 2896 2132 Pajjpk32.exe 44 PID 2132 wrote to memory of 2896 2132 Pajjpk32.exe 44 PID 2132 wrote to memory of 2896 2132 Pajjpk32.exe 44 PID 2132 wrote to memory of 2896 2132 Pajjpk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe"C:\Users\Admin\AppData\Local\Temp\54f42fec0d1a79292eadd7616e5f0065ac198b6b8c0cda3d6b2fadae99da950e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Lkkcmqcn.exeC:\Windows\system32\Lkkcmqcn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Lnipilbb.exeC:\Windows\system32\Lnipilbb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Ldchff32.exeC:\Windows\system32\Ldchff32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Mfngdmgb.exeC:\Windows\system32\Mfngdmgb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mcddca32.exeC:\Windows\system32\Mcddca32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Megmpi32.exeC:\Windows\system32\Megmpi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Nldbbbno.exeC:\Windows\system32\Nldbbbno.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Naqkki32.exeC:\Windows\system32\Naqkki32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Njiocobg.exeC:\Windows\system32\Njiocobg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Ndfmgdeb.exeC:\Windows\system32\Ndfmgdeb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ofdicodf.exeC:\Windows\system32\Ofdicodf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Omnapi32.exeC:\Windows\system32\Omnapi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Opmnle32.exeC:\Windows\system32\Opmnle32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Oejfelin.exeC:\Windows\system32\Oejfelin.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Pajjpk32.exeC:\Windows\system32\Pajjpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Pdhflg32.exeC:\Windows\system32\Pdhflg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Palgek32.exeC:\Windows\system32\Palgek32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Ppogahko.exeC:\Windows\system32\Ppogahko.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Ppacfg32.exeC:\Windows\system32\Ppacfg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Pgklcaqi.exeC:\Windows\system32\Pgklcaqi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Qpfmageg.exeC:\Windows\system32\Qpfmageg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Qcdinbdk.exeC:\Windows\system32\Qcdinbdk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Qecejnco.exeC:\Windows\system32\Qecejnco.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Qaifoo32.exeC:\Windows\system32\Qaifoo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Alojlgii.exeC:\Windows\system32\Alojlgii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Anpgdp32.exeC:\Windows\system32\Anpgdp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Aalcdngp.exeC:\Windows\system32\Aalcdngp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe34⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Abnpjnem.exeC:\Windows\system32\Abnpjnem.exe35⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Admlfida.exeC:\Windows\system32\Admlfida.exe36⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe37⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe38⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Adoili32.exeC:\Windows\system32\Adoili32.exe39⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ajladp32.exeC:\Windows\system32\Ajladp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Amjmpk32.exeC:\Windows\system32\Amjmpk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Adaeai32.exeC:\Windows\system32\Adaeai32.exe42⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Bmacqj32.exeC:\Windows\system32\Bmacqj32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Boppmf32.exeC:\Windows\system32\Boppmf32.exe44⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bpdihedp.exeC:\Windows\system32\Bpdihedp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Bngicb32.exeC:\Windows\system32\Bngicb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Baeepm32.exeC:\Windows\system32\Baeepm32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Beaaplbg.exeC:\Windows\system32\Beaaplbg.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Cbebjpaa.exeC:\Windows\system32\Cbebjpaa.exe49⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cahbem32.exeC:\Windows\system32\Cahbem32.exe50⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Cajokmfi.exeC:\Windows\system32\Cajokmfi.exe51⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ccikghel.exeC:\Windows\system32\Ccikghel.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Cgdggg32.exeC:\Windows\system32\Cgdggg32.exe53⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Camlpldf.exeC:\Windows\system32\Camlpldf.exe54⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe55⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cjepib32.exeC:\Windows\system32\Cjepib32.exe56⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Cmclem32.exeC:\Windows\system32\Cmclem32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Ccmdbg32.exeC:\Windows\system32\Ccmdbg32.exe58⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Cjgmoahd.exeC:\Windows\system32\Cjgmoahd.exe59⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Dfnncb32.exeC:\Windows\system32\Dfnncb32.exe60⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dlkfli32.exeC:\Windows\system32\Dlkfli32.exe61⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Diofenki.exeC:\Windows\system32\Diofenki.exe62⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Dlmcaijm.exeC:\Windows\system32\Dlmcaijm.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Dolondiq.exeC:\Windows\system32\Dolondiq.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Dajkjphd.exeC:\Windows\system32\Dajkjphd.exe65⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Deegjo32.exeC:\Windows\system32\Deegjo32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Dhdcfj32.exeC:\Windows\system32\Dhdcfj32.exe67⤵PID:1040
-
C:\Windows\SysWOW64\Dkbpbe32.exeC:\Windows\system32\Dkbpbe32.exe68⤵PID:2264
-
C:\Windows\SysWOW64\Dbihccpg.exeC:\Windows\system32\Dbihccpg.exe69⤵PID:2768
-
C:\Windows\SysWOW64\Dehdpnok.exeC:\Windows\system32\Dehdpnok.exe70⤵PID:2976
-
C:\Windows\SysWOW64\Dlblmh32.exeC:\Windows\system32\Dlblmh32.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Dophid32.exeC:\Windows\system32\Dophid32.exe72⤵PID:2944
-
C:\Windows\SysWOW64\Daoeeo32.exeC:\Windows\system32\Daoeeo32.exe73⤵PID:264
-
C:\Windows\SysWOW64\Dhimaill.exeC:\Windows\system32\Dhimaill.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Dglmmf32.exeC:\Windows\system32\Dglmmf32.exe75⤵PID:1944
-
C:\Windows\SysWOW64\Emeejpjc.exeC:\Windows\system32\Emeejpjc.exe76⤵PID:884
-
C:\Windows\SysWOW64\Eaaajo32.exeC:\Windows\system32\Eaaajo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Ehkjgi32.exeC:\Windows\system32\Ehkjgi32.exe78⤵PID:1964
-
C:\Windows\SysWOW64\Ekifcd32.exeC:\Windows\system32\Ekifcd32.exe79⤵PID:2872
-
C:\Windows\SysWOW64\Eilfoapg.exeC:\Windows\system32\Eilfoapg.exe80⤵PID:1960
-
C:\Windows\SysWOW64\Emhbop32.exeC:\Windows\system32\Emhbop32.exe81⤵PID:1980
-
C:\Windows\SysWOW64\Epfnkk32.exeC:\Windows\system32\Epfnkk32.exe82⤵PID:3068
-
C:\Windows\SysWOW64\Ecdkgg32.exeC:\Windows\system32\Ecdkgg32.exe83⤵PID:2472
-
C:\Windows\SysWOW64\Ephkak32.exeC:\Windows\system32\Ephkak32.exe84⤵PID:2176
-
C:\Windows\SysWOW64\Ecggmfde.exeC:\Windows\system32\Ecggmfde.exe85⤵PID:2396
-
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe86⤵PID:2692
-
C:\Windows\SysWOW64\Elolfl32.exeC:\Windows\system32\Elolfl32.exe87⤵PID:1936
-
C:\Windows\SysWOW64\Eonhbg32.exeC:\Windows\system32\Eonhbg32.exe88⤵PID:1360
-
C:\Windows\SysWOW64\Egepce32.exeC:\Windows\system32\Egepce32.exe89⤵PID:3044
-
C:\Windows\SysWOW64\Eiclop32.exeC:\Windows\system32\Eiclop32.exe90⤵PID:2868
-
C:\Windows\SysWOW64\Elahkl32.exeC:\Windows\system32\Elahkl32.exe91⤵PID:2424
-
C:\Windows\SysWOW64\Eopehg32.exeC:\Windows\system32\Eopehg32.exe92⤵PID:2096
-
C:\Windows\SysWOW64\Fejmda32.exeC:\Windows\system32\Fejmda32.exe93⤵PID:2044
-
C:\Windows\SysWOW64\Fhhiqm32.exeC:\Windows\system32\Fhhiqm32.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Fldeakgp.exeC:\Windows\system32\Fldeakgp.exe95⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Fdojendk.exeC:\Windows\system32\Fdojendk.exe97⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe98⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Foencfda.exeC:\Windows\system32\Foencfda.exe99⤵
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe100⤵PID:1616
-
C:\Windows\SysWOW64\Feofpqkn.exeC:\Windows\system32\Feofpqkn.exe101⤵PID:2060
-
C:\Windows\SysWOW64\Fgpcgi32.exeC:\Windows\system32\Fgpcgi32.exe102⤵PID:2652
-
C:\Windows\SysWOW64\Fknlmggc.exeC:\Windows\system32\Fknlmggc.exe103⤵PID:3004
-
C:\Windows\SysWOW64\Fjqlid32.exeC:\Windows\system32\Fjqlid32.exe104⤵PID:1160
-
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe105⤵PID:2260
-
C:\Windows\SysWOW64\Fqkdenfj.exeC:\Windows\system32\Fqkdenfj.exe106⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Fcipaien.exeC:\Windows\system32\Fcipaien.exe107⤵PID:1972
-
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Fnodob32.exeC:\Windows\system32\Fnodob32.exe109⤵PID:1996
-
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe110⤵PID:1784
-
C:\Windows\SysWOW64\Gckmgi32.exeC:\Windows\system32\Gckmgi32.exe111⤵PID:2736
-
C:\Windows\SysWOW64\Gfjicd32.exeC:\Windows\system32\Gfjicd32.exe112⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe113⤵PID:1348
-
C:\Windows\SysWOW64\Gmdapoil.exeC:\Windows\system32\Gmdapoil.exe114⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Ggifmgia.exeC:\Windows\system32\Ggifmgia.exe115⤵PID:2552
-
C:\Windows\SysWOW64\Gjhbic32.exeC:\Windows\system32\Gjhbic32.exe116⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Ghmokomm.exeC:\Windows\system32\Ghmokomm.exe117⤵PID:2324
-
C:\Windows\SysWOW64\Hkpdbj32.exeC:\Windows\system32\Hkpdbj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Holqbipe.exeC:\Windows\system32\Holqbipe.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Hqmmja32.exeC:\Windows\system32\Hqmmja32.exe120⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Hggegknp.exeC:\Windows\system32\Hggegknp.exe121⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-