Analysis
-
max time kernel
117s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 10:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45e5c5e8c1422e4220472f343d3c5ac0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
45e5c5e8c1422e4220472f343d3c5ac0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
45e5c5e8c1422e4220472f343d3c5ac0N.exe
-
Size
64KB
-
MD5
45e5c5e8c1422e4220472f343d3c5ac0
-
SHA1
1313021076882de17ee6bed7b3d40a5bc52a3b1a
-
SHA256
ed5b3ba7bad503c25fdce082e56cfda5554d87c17dee49385e2c59618f2c8f4b
-
SHA512
864aaeeb93d803b18fa257d110c3b4d3430f750d0408ebc73a407a5e2a9d54344b7f68f0661748a4d3a8ac83743d59c5f4d0049c8da0cc99941e0063a4a2ddbc
-
SSDEEP
768:MiNbIqGwAvFatE5bXEl/Ka+9W3t3lDJNECAplVIkpSD/GPLyor9oJDNpFoWM2p/x:kqGwAv/doFNcWOyJDNpaWM2LdrDWBi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 45e5c5e8c1422e4220472f343d3c5ac0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgajg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdgdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmkmjoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcohahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclfag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afliclij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldiehbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbpqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladebd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icncgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Japciodd.exe -
Executes dropped EXE 64 IoCs
pid Process 2836 Ahmefdcp.exe 2816 Aklabp32.exe 2600 Aaejojjq.exe 2604 Aiaoclgl.exe 2236 Apkgpf32.exe 1716 Acicla32.exe 1880 Ajckilei.exe 2140 Alageg32.exe 2904 Aclpaali.exe 2728 Anadojlo.exe 2608 Acnlgajg.exe 2180 Afliclij.exe 2124 Boemlbpk.exe 792 Bfoeil32.exe 2000 Bkknac32.exe 576 Bogjaamh.exe 636 Bhonjg32.exe 1160 Bknjfb32.exe 3012 Bnlgbnbp.exe 1524 Bdfooh32.exe 2160 Bgdkkc32.exe 2076 Bnochnpm.exe 2444 Bqmpdioa.exe 872 Bhdhefpc.exe 2780 Bjedmo32.exe 2672 Bbllnlfd.exe 1988 Bdkhjgeh.exe 764 Ckeqga32.exe 2648 Cncmcm32.exe 2252 Cdmepgce.exe 2912 Cjjnhnbl.exe 3048 Cnejim32.exe 2356 Cogfqe32.exe 592 Cgnnab32.exe 1784 Cfanmogq.exe 1300 Cjljnn32.exe 2244 Ciokijfd.exe 2108 Cqfbjhgf.exe 1364 Cbgobp32.exe 1852 Cjogcm32.exe 1820 Cmmcpi32.exe 2412 Cmmcpi32.exe 1676 Colpld32.exe 1940 Ccgklc32.exe 1796 Cfehhn32.exe 1488 Cidddj32.exe 316 Ckbpqe32.exe 1632 Dnqlmq32.exe 1984 Dblhmoio.exe 2232 Dfhdnn32.exe 2784 Dekdikhc.exe 2476 Dkdmfe32.exe 2640 Dppigchi.exe 2796 Dboeco32.exe 3052 Demaoj32.exe 2112 Dihmpinj.exe 2428 Dlgjldnm.exe 2360 Djjjga32.exe 408 Dbabho32.exe 2396 Deondj32.exe 1808 Dgnjqe32.exe 1828 Dlifadkk.exe 2332 Dmkcil32.exe 2272 Deakjjbk.exe -
Loads dropped DLL 64 IoCs
pid Process 2752 45e5c5e8c1422e4220472f343d3c5ac0N.exe 2752 45e5c5e8c1422e4220472f343d3c5ac0N.exe 2836 Ahmefdcp.exe 2836 Ahmefdcp.exe 2816 Aklabp32.exe 2816 Aklabp32.exe 2600 Aaejojjq.exe 2600 Aaejojjq.exe 2604 Aiaoclgl.exe 2604 Aiaoclgl.exe 2236 Apkgpf32.exe 2236 Apkgpf32.exe 1716 Acicla32.exe 1716 Acicla32.exe 1880 Ajckilei.exe 1880 Ajckilei.exe 2140 Alageg32.exe 2140 Alageg32.exe 2904 Aclpaali.exe 2904 Aclpaali.exe 2728 Anadojlo.exe 2728 Anadojlo.exe 2608 Acnlgajg.exe 2608 Acnlgajg.exe 2180 Afliclij.exe 2180 Afliclij.exe 2124 Boemlbpk.exe 2124 Boemlbpk.exe 792 Bfoeil32.exe 792 Bfoeil32.exe 2000 Bkknac32.exe 2000 Bkknac32.exe 576 Bogjaamh.exe 576 Bogjaamh.exe 636 Bhonjg32.exe 636 Bhonjg32.exe 1160 Bknjfb32.exe 1160 Bknjfb32.exe 3012 Bnlgbnbp.exe 3012 Bnlgbnbp.exe 1524 Bdfooh32.exe 1524 Bdfooh32.exe 2160 Bgdkkc32.exe 2160 Bgdkkc32.exe 2076 Bnochnpm.exe 2076 Bnochnpm.exe 2444 Bqmpdioa.exe 2444 Bqmpdioa.exe 872 Bhdhefpc.exe 872 Bhdhefpc.exe 2780 Bjedmo32.exe 2780 Bjedmo32.exe 2672 Bbllnlfd.exe 2672 Bbllnlfd.exe 1988 Bdkhjgeh.exe 1988 Bdkhjgeh.exe 764 Ckeqga32.exe 764 Ckeqga32.exe 2648 Cncmcm32.exe 2648 Cncmcm32.exe 2252 Cdmepgce.exe 2252 Cdmepgce.exe 2912 Cjjnhnbl.exe 2912 Cjjnhnbl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jbhebfck.exe Jpjifjdg.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Gpggei32.exe Gmhkin32.exe File created C:\Windows\SysWOW64\Gkaobghp.dll Iknafhjb.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hgeelf32.exe File created C:\Windows\SysWOW64\Cqfbjhgf.exe Ciokijfd.exe File created C:\Windows\SysWOW64\Jjmfenoo.dll Gojhafnb.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Ebnabb32.exe File created C:\Windows\SysWOW64\Jjhgbd32.exe Jgjkfi32.exe File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe Jbhebfck.exe File opened for modification C:\Windows\SysWOW64\Aiaoclgl.exe Aaejojjq.exe File created C:\Windows\SysWOW64\Dboeco32.exe Dppigchi.exe File opened for modification C:\Windows\SysWOW64\Jllqplnp.exe Jimdcqom.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Kkmmlgik.exe File created C:\Windows\SysWOW64\Canipj32.dll Bqmpdioa.exe File opened for modification C:\Windows\SysWOW64\Gajqbakc.exe Goldfelp.exe File created C:\Windows\SysWOW64\Dfcgbb32.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Bfakep32.dll Ciokijfd.exe File created C:\Windows\SysWOW64\Njmokcbh.dll Dlgjldnm.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File opened for modification C:\Windows\SysWOW64\Acicla32.exe Apkgpf32.exe File opened for modification C:\Windows\SysWOW64\Lcmklh32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Kndkfpje.dll Igqhpj32.exe File created C:\Windows\SysWOW64\Emdeok32.exe Eemnnn32.exe File created C:\Windows\SysWOW64\Bmblbf32.dll Fooembgb.exe File created C:\Windows\SysWOW64\Ghcmae32.dll Hjcaha32.exe File created C:\Windows\SysWOW64\Dnhanebc.dll Jimdcqom.exe File created C:\Windows\SysWOW64\Licpomcb.dll Emaijk32.exe File opened for modification C:\Windows\SysWOW64\Bdkhjgeh.exe Bbllnlfd.exe File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe Jcqlkjae.exe File opened for modification C:\Windows\SysWOW64\Apkgpf32.exe Aiaoclgl.exe File opened for modification C:\Windows\SysWOW64\Eeagimdf.exe Ebckmaec.exe File created C:\Windows\SysWOW64\Gcjmmdbf.exe Gkcekfad.exe File opened for modification C:\Windows\SysWOW64\Icifjk32.exe Iakino32.exe File created C:\Windows\SysWOW64\Eckfklnl.dll Dboeco32.exe File created C:\Windows\SysWOW64\Ckkhdaei.dll Giolnomh.exe File created C:\Windows\SysWOW64\Aiaoclgl.exe Aaejojjq.exe File created C:\Windows\SysWOW64\Faonom32.exe Fihfnp32.exe File opened for modification C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File created C:\Windows\SysWOW64\Hbppfnao.dll Lofifi32.exe File created C:\Windows\SysWOW64\Inajahoe.dll Acicla32.exe File created C:\Windows\SysWOW64\Elgfkhpi.exe Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Inojhc32.exe Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Iknafhjb.exe Iipejmko.exe File opened for modification C:\Windows\SysWOW64\Cjjnhnbl.exe Cdmepgce.exe File created C:\Windows\SysWOW64\Baajep32.dll Gdnfjl32.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Ghdjfq32.dll Colpld32.exe File created C:\Windows\SysWOW64\Jfmgba32.dll Hmpaom32.exe File created C:\Windows\SysWOW64\Gojhafnb.exe Gpggei32.exe File created C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Cncmcm32.exe Ckeqga32.exe File created C:\Windows\SysWOW64\Fglfgd32.exe Fcqjfeja.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Ehnfpifm.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File created C:\Windows\SysWOW64\Dllqqh32.dll Lmpcca32.exe File created C:\Windows\SysWOW64\Lclknm32.dll Bhdhefpc.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jnagmc32.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Kageia32.exe File opened for modification C:\Windows\SysWOW64\Lifcib32.exe Lekghdad.exe File created C:\Windows\SysWOW64\Adnjbnhn.dll Goldfelp.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jfaeme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3136 4064 WerFault.exe 294 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhicbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeagimdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcohahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmpdioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlgbnbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekdikhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjmfjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgfekpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqiqjlga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiioin32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbjcpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmjop32.dll" Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glnhjjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqnjek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmeekj.dll" Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgfqf32.dll" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknocpdc.dll" Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknocpdc.dll" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfndl32.dll" Ghbljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fihfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cfanmogq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfcgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goldfelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll" Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 45e5c5e8c1422e4220472f343d3c5ac0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppigchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiflpof.dll" Hiioin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cidddj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcqjfeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdpcokdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcohahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll" Ifmocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepblac.dll" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdaaanl.dll" Ccgklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhgbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbdnmap.dll" Dnqlmq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2836 2752 45e5c5e8c1422e4220472f343d3c5ac0N.exe 30 PID 2752 wrote to memory of 2836 2752 45e5c5e8c1422e4220472f343d3c5ac0N.exe 30 PID 2752 wrote to memory of 2836 2752 45e5c5e8c1422e4220472f343d3c5ac0N.exe 30 PID 2752 wrote to memory of 2836 2752 45e5c5e8c1422e4220472f343d3c5ac0N.exe 30 PID 2836 wrote to memory of 2816 2836 Ahmefdcp.exe 31 PID 2836 wrote to memory of 2816 2836 Ahmefdcp.exe 31 PID 2836 wrote to memory of 2816 2836 Ahmefdcp.exe 31 PID 2836 wrote to memory of 2816 2836 Ahmefdcp.exe 31 PID 2816 wrote to memory of 2600 2816 Aklabp32.exe 32 PID 2816 wrote to memory of 2600 2816 Aklabp32.exe 32 PID 2816 wrote to memory of 2600 2816 Aklabp32.exe 32 PID 2816 wrote to memory of 2600 2816 Aklabp32.exe 32 PID 2600 wrote to memory of 2604 2600 Aaejojjq.exe 33 PID 2600 wrote to memory of 2604 2600 Aaejojjq.exe 33 PID 2600 wrote to memory of 2604 2600 Aaejojjq.exe 33 PID 2600 wrote to memory of 2604 2600 Aaejojjq.exe 33 PID 2604 wrote to memory of 2236 2604 Aiaoclgl.exe 34 PID 2604 wrote to memory of 2236 2604 Aiaoclgl.exe 34 PID 2604 wrote to memory of 2236 2604 Aiaoclgl.exe 34 PID 2604 wrote to memory of 2236 2604 Aiaoclgl.exe 34 PID 2236 wrote to memory of 1716 2236 Apkgpf32.exe 35 PID 2236 wrote to memory of 1716 2236 Apkgpf32.exe 35 PID 2236 wrote to memory of 1716 2236 Apkgpf32.exe 35 PID 2236 wrote to memory of 1716 2236 Apkgpf32.exe 35 PID 1716 wrote to memory of 1880 1716 Acicla32.exe 36 PID 1716 wrote to memory of 1880 1716 Acicla32.exe 36 PID 1716 wrote to memory of 1880 1716 Acicla32.exe 36 PID 1716 wrote to memory of 1880 1716 Acicla32.exe 36 PID 1880 wrote to memory of 2140 1880 Ajckilei.exe 37 PID 1880 wrote to memory of 2140 1880 Ajckilei.exe 37 PID 1880 wrote to memory of 2140 1880 Ajckilei.exe 37 PID 1880 wrote to memory of 2140 1880 Ajckilei.exe 37 PID 2140 wrote to memory of 2904 2140 Alageg32.exe 38 PID 2140 wrote to memory of 2904 2140 Alageg32.exe 38 PID 2140 wrote to memory of 2904 2140 Alageg32.exe 38 PID 2140 wrote to memory of 2904 2140 Alageg32.exe 38 PID 2904 wrote to memory of 2728 2904 Aclpaali.exe 39 PID 2904 wrote to memory of 2728 2904 Aclpaali.exe 39 PID 2904 wrote to memory of 2728 2904 Aclpaali.exe 39 PID 2904 wrote to memory of 2728 2904 Aclpaali.exe 39 PID 2728 wrote to memory of 2608 2728 Anadojlo.exe 40 PID 2728 wrote to memory of 2608 2728 Anadojlo.exe 40 PID 2728 wrote to memory of 2608 2728 Anadojlo.exe 40 PID 2728 wrote to memory of 2608 2728 Anadojlo.exe 40 PID 2608 wrote to memory of 2180 2608 Acnlgajg.exe 41 PID 2608 wrote to memory of 2180 2608 Acnlgajg.exe 41 PID 2608 wrote to memory of 2180 2608 Acnlgajg.exe 41 PID 2608 wrote to memory of 2180 2608 Acnlgajg.exe 41 PID 2180 wrote to memory of 2124 2180 Afliclij.exe 42 PID 2180 wrote to memory of 2124 2180 Afliclij.exe 42 PID 2180 wrote to memory of 2124 2180 Afliclij.exe 42 PID 2180 wrote to memory of 2124 2180 Afliclij.exe 42 PID 2124 wrote to memory of 792 2124 Boemlbpk.exe 43 PID 2124 wrote to memory of 792 2124 Boemlbpk.exe 43 PID 2124 wrote to memory of 792 2124 Boemlbpk.exe 43 PID 2124 wrote to memory of 792 2124 Boemlbpk.exe 43 PID 792 wrote to memory of 2000 792 Bfoeil32.exe 44 PID 792 wrote to memory of 2000 792 Bfoeil32.exe 44 PID 792 wrote to memory of 2000 792 Bfoeil32.exe 44 PID 792 wrote to memory of 2000 792 Bfoeil32.exe 44 PID 2000 wrote to memory of 576 2000 Bkknac32.exe 45 PID 2000 wrote to memory of 576 2000 Bkknac32.exe 45 PID 2000 wrote to memory of 576 2000 Bkknac32.exe 45 PID 2000 wrote to memory of 576 2000 Bkknac32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\45e5c5e8c1422e4220472f343d3c5ac0N.exe"C:\Users\Admin\AppData\Local\Temp\45e5c5e8c1422e4220472f343d3c5ac0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe33⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe35⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe37⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe39⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe40⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe42⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe43⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Ccgklc32.exeC:\Windows\system32\Ccgklc32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Dfhdnn32.exeC:\Windows\system32\Dfhdnn32.exe51⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe53⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dppigchi.exeC:\Windows\system32\Dppigchi.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe57⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe59⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe61⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe63⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Deakjjbk.exeC:\Windows\system32\Deakjjbk.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe66⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Dfcgbb32.exeC:\Windows\system32\Dfcgbb32.exe67⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Dmmpolof.exeC:\Windows\system32\Dmmpolof.exe69⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Efedga32.exeC:\Windows\system32\Efedga32.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe73⤵PID:2536
-
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe75⤵PID:3068
-
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe76⤵PID:2892
-
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe78⤵PID:3040
-
C:\Windows\SysWOW64\Emaijk32.exeC:\Windows\system32\Emaijk32.exe79⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Ebnabb32.exeC:\Windows\system32\Ebnabb32.exe82⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Eemnnn32.exeC:\Windows\system32\Eemnnn32.exe83⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe84⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe88⤵PID:2872
-
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe89⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe91⤵PID:3056
-
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe94⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe96⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe97⤵PID:1844
-
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe98⤵PID:2472
-
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe99⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe100⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe102⤵PID:1096
-
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe103⤵PID:3004
-
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe105⤵PID:1484
-
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe106⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Fhdmph32.exeC:\Windows\system32\Fhdmph32.exe107⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe108⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Fooembgb.exeC:\Windows\system32\Fooembgb.exe109⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Fmaeho32.exeC:\Windows\system32\Fmaeho32.exe110⤵PID:2636
-
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe111⤵PID:1688
-
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe113⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe114⤵PID:2944
-
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe116⤵PID:2488
-
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe117⤵PID:2300
-
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe120⤵PID:2764
-
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe121⤵PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-