Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 21:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
daeb4fd16acfcaef07a0f01bee1263a0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
daeb4fd16acfcaef07a0f01bee1263a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
daeb4fd16acfcaef07a0f01bee1263a0N.exe
-
Size
512KB
-
MD5
daeb4fd16acfcaef07a0f01bee1263a0
-
SHA1
25ed629e7c04a4740796f721a4692fd3223be399
-
SHA256
9903634b8ad1475ad3350d8c63673716ef13369ad83cff71ed58c68d2a790b91
-
SHA512
e77a0e0b3a3e09886bd4d0fe7672eb46d3c305d2faef1708d66699fa4ab92fa08e933bd7f37bdbb5e889bd86240496d264d3099caa414a8674ef5e46f02ca3db
-
SSDEEP
6144:dXvuWh9853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:hX7QBpnchWcZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbqliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbcbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkkngol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgmgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggekhhle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceganoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdjpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enokidgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffoihepa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfganb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcgmgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflpdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heoadcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmfchfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbokoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkojcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idihponj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igojmjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchhhjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnflmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdnjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgijbede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffoihepa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpngkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaibpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkdfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqclpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihojnqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghhngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihedan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjfmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjpdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfaopqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhhjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djaedbnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjalch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljolodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chickknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnagijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbqmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbekpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncenh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofnbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlikkbga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonqca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommdqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmhjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inffdd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2836 Nonqca32.exe 2932 Obniel32.exe 2900 Ocpfmd32.exe 3008 Ocdohdfc.exe 2704 Ommdqi32.exe 2692 Pmamliin.exe 1444 Pbnfdpge.exe 2744 Phknlfem.exe 1128 Pbqbioeb.exe 1168 Pikkfilp.exe 1420 Pjlgna32.exe 1248 Pafpjljk.exe 1256 Phphgf32.exe 1604 Pnjpdphd.exe 2612 Qechqj32.exe 2208 Qhbdmeoe.exe 2176 Qolmip32.exe 2556 Qpmiahlp.exe 536 Qfganb32.exe 1772 Amaiklki.exe 1040 Adkbgf32.exe 636 Akejdp32.exe 1636 Aihjpman.exe 2596 Adnomfqc.exe 884 Aeokdn32.exe 2776 Aogpmcmb.exe 2804 Apglgfde.exe 2896 Aahhoo32.exe 2816 Ahbqliap.exe 2212 Aolihc32.exe 1072 Aefaemqj.exe 1900 Blpibghg.exe 1756 Bonenbgj.exe 1268 Behnkm32.exe 3012 Bgijbede.exe 2456 Boqbcbeh.exe 2552 Bpbokj32.exe 560 Bkgchckl.exe 2144 Baakem32.exe 108 Bcbhmehg.exe 840 Bjlpjp32.exe 1512 Bdbdgh32.exe 2992 Bfcqoqeh.exe 496 Blmikkle.exe 2796 Cgcmiclk.exe 1684 Chdjpl32.exe 2680 Conbmfif.exe 2652 Cjcfjoil.exe 756 Ckebbgoj.exe 2628 Cbokoa32.exe 3064 Chickknc.exe 2284 Cbagdq32.exe 2748 Cgnpmg32.exe 2464 Cnhhia32.exe 2352 Cdbqflae.exe 1896 Dklibf32.exe 880 Dbfaopqo.exe 2840 Dcgmgh32.exe 1568 Djaedbnj.exe 2220 Dmobpn32.exe 1788 Dcijmhdj.exe 2960 Djcbib32.exe 2676 Dqmkflcd.exe 2124 Dggcbf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2584 daeb4fd16acfcaef07a0f01bee1263a0N.exe 2584 daeb4fd16acfcaef07a0f01bee1263a0N.exe 2836 Nonqca32.exe 2836 Nonqca32.exe 2932 Obniel32.exe 2932 Obniel32.exe 2900 Ocpfmd32.exe 2900 Ocpfmd32.exe 3008 Ocdohdfc.exe 3008 Ocdohdfc.exe 2704 Ommdqi32.exe 2704 Ommdqi32.exe 2692 Pmamliin.exe 2692 Pmamliin.exe 1444 Pbnfdpge.exe 1444 Pbnfdpge.exe 2744 Phknlfem.exe 2744 Phknlfem.exe 1128 Pbqbioeb.exe 1128 Pbqbioeb.exe 1168 Pikkfilp.exe 1168 Pikkfilp.exe 1420 Pjlgna32.exe 1420 Pjlgna32.exe 1248 Pafpjljk.exe 1248 Pafpjljk.exe 1256 Phphgf32.exe 1256 Phphgf32.exe 1604 Pnjpdphd.exe 1604 Pnjpdphd.exe 2612 Qechqj32.exe 2612 Qechqj32.exe 2208 Qhbdmeoe.exe 2208 Qhbdmeoe.exe 2176 Qolmip32.exe 2176 Qolmip32.exe 2556 Qpmiahlp.exe 2556 Qpmiahlp.exe 536 Qfganb32.exe 536 Qfganb32.exe 1772 Amaiklki.exe 1772 Amaiklki.exe 1040 Adkbgf32.exe 1040 Adkbgf32.exe 636 Akejdp32.exe 636 Akejdp32.exe 1636 Aihjpman.exe 1636 Aihjpman.exe 2596 Adnomfqc.exe 2596 Adnomfqc.exe 884 Aeokdn32.exe 884 Aeokdn32.exe 2776 Aogpmcmb.exe 2776 Aogpmcmb.exe 2804 Apglgfde.exe 2804 Apglgfde.exe 2896 Aahhoo32.exe 2896 Aahhoo32.exe 2816 Ahbqliap.exe 2816 Ahbqliap.exe 2212 Aolihc32.exe 2212 Aolihc32.exe 1072 Aefaemqj.exe 1072 Aefaemqj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihphlqal.dll Lanmde32.exe File created C:\Windows\SysWOW64\Cfhgqmgi.dll Adkbgf32.exe File created C:\Windows\SysWOW64\Pjijgo32.dll Heoadcmh.exe File created C:\Windows\SysWOW64\Jchhhjjg.exe Jmnpkp32.exe File opened for modification C:\Windows\SysWOW64\Lmbadfdl.exe Lghigl32.exe File opened for modification C:\Windows\SysWOW64\Dpbgghhl.exe Dihojnqo.exe File created C:\Windows\SysWOW64\Mckghggc.dll Ihedan32.exe File opened for modification C:\Windows\SysWOW64\Kjalch32.exe Kplhfo32.exe File opened for modification C:\Windows\SysWOW64\Kofnbk32.exe Kiifjd32.exe File created C:\Windows\SysWOW64\Kfmfchfo.exe Kofnbk32.exe File created C:\Windows\SysWOW64\Adkbgf32.exe Amaiklki.exe File opened for modification C:\Windows\SysWOW64\Gifhkpgk.exe Fblpnepn.exe File created C:\Windows\SysWOW64\Hocmbjhn.exe Hekhid32.exe File created C:\Windows\SysWOW64\Fmfdppia.exe Ejhhcdjm.exe File opened for modification C:\Windows\SysWOW64\Ffcbce32.exe Fdefgimi.exe File created C:\Windows\SysWOW64\Gmkjjbhg.exe Gklnmgic.exe File created C:\Windows\SysWOW64\Hgjdcghp.exe Hocmbjhn.exe File opened for modification C:\Windows\SysWOW64\Dqmkflcd.exe Djcbib32.exe File created C:\Windows\SysWOW64\Dmhocf32.dll Elpnmhgh.exe File created C:\Windows\SysWOW64\Fdefgimi.exe Fmknko32.exe File opened for modification C:\Windows\SysWOW64\Hddoep32.exe Hfanjcke.exe File created C:\Windows\SysWOW64\Gdnpak32.dll Cjcfjoil.exe File created C:\Windows\SysWOW64\Bnfjbkng.dll Gdpikmci.exe File opened for modification C:\Windows\SysWOW64\Lanmde32.exe Lmbadfdl.exe File created C:\Windows\SysWOW64\Baakem32.exe Bkgchckl.exe File created C:\Windows\SysWOW64\Nelglc32.dll Bjlpjp32.exe File opened for modification C:\Windows\SysWOW64\Fplgljbm.exe Ffcbce32.exe File created C:\Windows\SysWOW64\Hllgeipk.dll Pmamliin.exe File created C:\Windows\SysWOW64\Anogmi32.dll Aolihc32.exe File created C:\Windows\SysWOW64\Cpfcphnf.dll Fdbibjok.exe File created C:\Windows\SysWOW64\Opebop32.dll Ghlell32.exe File opened for modification C:\Windows\SysWOW64\Hkljljko.exe Hhnnpolk.exe File opened for modification C:\Windows\SysWOW64\Jkeialfp.exe Jigmeagl.exe File created C:\Windows\SysWOW64\Kpndlobg.exe Kidlodkj.exe File opened for modification C:\Windows\SysWOW64\Ldgpea32.exe Lbfdnijp.exe File opened for modification C:\Windows\SysWOW64\Mllhpb32.exe Mebpchmb.exe File opened for modification C:\Windows\SysWOW64\Cbokoa32.exe Ckebbgoj.exe File opened for modification C:\Windows\SysWOW64\Dkihli32.exe Dflpdb32.exe File created C:\Windows\SysWOW64\Cfnefp32.dll Epgabhdg.exe File created C:\Windows\SysWOW64\Fkbqmd32.dll Mebpchmb.exe File created C:\Windows\SysWOW64\Cbickmoq.dll Ehgoaiml.exe File created C:\Windows\SysWOW64\Hlhleh32.dll Hnmcne32.exe File opened for modification C:\Windows\SysWOW64\Jncenh32.exe Jkeialfp.exe File opened for modification C:\Windows\SysWOW64\Jgljfmkd.exe Jennjblp.exe File created C:\Windows\SysWOW64\Kpfenk32.dll Jgljfmkd.exe File created C:\Windows\SysWOW64\Bdbdgh32.exe Bjlpjp32.exe File created C:\Windows\SysWOW64\Iicbdnjn.dll Dcijmhdj.exe File created C:\Windows\SysWOW64\Elnagijk.exe Efaiobkc.exe File created C:\Windows\SysWOW64\Dhgjjgoq.dll Hfanjcke.exe File created C:\Windows\SysWOW64\Mdhlhqbi.dll Bfcqoqeh.exe File opened for modification C:\Windows\SysWOW64\Djaedbnj.exe Dcgmgh32.exe File created C:\Windows\SysWOW64\Gfgfed32.dll Ejeknelp.exe File created C:\Windows\SysWOW64\Dggcbf32.exe Dqmkflcd.exe File created C:\Windows\SysWOW64\Gdpikmci.exe Gkgdbh32.exe File created C:\Windows\SysWOW64\Lomdcj32.exe Ldgpea32.exe File opened for modification C:\Windows\SysWOW64\Chickknc.exe Cbokoa32.exe File created C:\Windows\SysWOW64\Dmobpn32.exe Djaedbnj.exe File opened for modification C:\Windows\SysWOW64\Lomdcj32.exe Ldgpea32.exe File opened for modification C:\Windows\SysWOW64\Phphgf32.exe Pafpjljk.exe File opened for modification C:\Windows\SysWOW64\Hpnpam32.exe Gnocdb32.exe File created C:\Windows\SysWOW64\Keedfp32.dll Gmkjjbhg.exe File created C:\Windows\SysWOW64\Hhnnpolk.exe Heoadcmh.exe File created C:\Windows\SysWOW64\Jncenh32.exe Jkeialfp.exe File created C:\Windows\SysWOW64\Ehkjdmqc.dll Qechqj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3400 3376 WerFault.exe 213 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnnpolk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icqagkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdqclpgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qolmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdefgimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghhngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikembicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjalch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfganb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmiclk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfanjcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlikkbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjfmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcqoqeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebbgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbokoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbibjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfdppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbgak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghigl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnagijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaibpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibklddof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefaemqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgchckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffoihepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpnmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmknko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplgljbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkljljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafpjljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbqliap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgpea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapjjdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmbbkij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnflmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogbllfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqmkflcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdgjpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekhid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigmeagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqaanqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemjieol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcijmhdj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkngbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdgkkppm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfccmini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjnpail.dll" Akejdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgkop32.dll" Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokold32.dll" Baakem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcmiclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffoihepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhbgkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfccmini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 daeb4fd16acfcaef07a0f01bee1263a0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnomfqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkojcgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facfgahm.dll" Joohmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihphlqal.dll" Lanmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijbqion.dll" Phknlfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phphgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epgabhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdpikmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjocoedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomekckd.dll" Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelglc32.dll" Bjlpjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfcqoqeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnagijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kceganoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplhfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfmfchfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohkhjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obniel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglmdppi.dll" Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmgcb32.dll" Kmbeecaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafpjljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edimlq32.dll" Eamgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goemhfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkljljko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhhjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncenh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kplhfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkdcib.dll" Kbmahjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkooeblb.dll" Qhbdmeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfganb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaiklki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjfmlkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dflpdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehilgikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opebop32.dll" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcchl32.dll" Idkdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogbllfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linoeccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlgna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbagdq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2836 2584 daeb4fd16acfcaef07a0f01bee1263a0N.exe 29 PID 2584 wrote to memory of 2836 2584 daeb4fd16acfcaef07a0f01bee1263a0N.exe 29 PID 2584 wrote to memory of 2836 2584 daeb4fd16acfcaef07a0f01bee1263a0N.exe 29 PID 2584 wrote to memory of 2836 2584 daeb4fd16acfcaef07a0f01bee1263a0N.exe 29 PID 2836 wrote to memory of 2932 2836 Nonqca32.exe 30 PID 2836 wrote to memory of 2932 2836 Nonqca32.exe 30 PID 2836 wrote to memory of 2932 2836 Nonqca32.exe 30 PID 2836 wrote to memory of 2932 2836 Nonqca32.exe 30 PID 2932 wrote to memory of 2900 2932 Obniel32.exe 31 PID 2932 wrote to memory of 2900 2932 Obniel32.exe 31 PID 2932 wrote to memory of 2900 2932 Obniel32.exe 31 PID 2932 wrote to memory of 2900 2932 Obniel32.exe 31 PID 2900 wrote to memory of 3008 2900 Ocpfmd32.exe 32 PID 2900 wrote to memory of 3008 2900 Ocpfmd32.exe 32 PID 2900 wrote to memory of 3008 2900 Ocpfmd32.exe 32 PID 2900 wrote to memory of 3008 2900 Ocpfmd32.exe 32 PID 3008 wrote to memory of 2704 3008 Ocdohdfc.exe 33 PID 3008 wrote to memory of 2704 3008 Ocdohdfc.exe 33 PID 3008 wrote to memory of 2704 3008 Ocdohdfc.exe 33 PID 3008 wrote to memory of 2704 3008 Ocdohdfc.exe 33 PID 2704 wrote to memory of 2692 2704 Ommdqi32.exe 34 PID 2704 wrote to memory of 2692 2704 Ommdqi32.exe 34 PID 2704 wrote to memory of 2692 2704 Ommdqi32.exe 34 PID 2704 wrote to memory of 2692 2704 Ommdqi32.exe 34 PID 2692 wrote to memory of 1444 2692 Pmamliin.exe 35 PID 2692 wrote to memory of 1444 2692 Pmamliin.exe 35 PID 2692 wrote to memory of 1444 2692 Pmamliin.exe 35 PID 2692 wrote to memory of 1444 2692 Pmamliin.exe 35 PID 1444 wrote to memory of 2744 1444 Pbnfdpge.exe 36 PID 1444 wrote to memory of 2744 1444 Pbnfdpge.exe 36 PID 1444 wrote to memory of 2744 1444 Pbnfdpge.exe 36 PID 1444 wrote to memory of 2744 1444 Pbnfdpge.exe 36 PID 2744 wrote to memory of 1128 2744 Phknlfem.exe 37 PID 2744 wrote to memory of 1128 2744 Phknlfem.exe 37 PID 2744 wrote to memory of 1128 2744 Phknlfem.exe 37 PID 2744 wrote to memory of 1128 2744 Phknlfem.exe 37 PID 1128 wrote to memory of 1168 1128 Pbqbioeb.exe 38 PID 1128 wrote to memory of 1168 1128 Pbqbioeb.exe 38 PID 1128 wrote to memory of 1168 1128 Pbqbioeb.exe 38 PID 1128 wrote to memory of 1168 1128 Pbqbioeb.exe 38 PID 1168 wrote to memory of 1420 1168 Pikkfilp.exe 39 PID 1168 wrote to memory of 1420 1168 Pikkfilp.exe 39 PID 1168 wrote to memory of 1420 1168 Pikkfilp.exe 39 PID 1168 wrote to memory of 1420 1168 Pikkfilp.exe 39 PID 1420 wrote to memory of 1248 1420 Pjlgna32.exe 40 PID 1420 wrote to memory of 1248 1420 Pjlgna32.exe 40 PID 1420 wrote to memory of 1248 1420 Pjlgna32.exe 40 PID 1420 wrote to memory of 1248 1420 Pjlgna32.exe 40 PID 1248 wrote to memory of 1256 1248 Pafpjljk.exe 41 PID 1248 wrote to memory of 1256 1248 Pafpjljk.exe 41 PID 1248 wrote to memory of 1256 1248 Pafpjljk.exe 41 PID 1248 wrote to memory of 1256 1248 Pafpjljk.exe 41 PID 1256 wrote to memory of 1604 1256 Phphgf32.exe 42 PID 1256 wrote to memory of 1604 1256 Phphgf32.exe 42 PID 1256 wrote to memory of 1604 1256 Phphgf32.exe 42 PID 1256 wrote to memory of 1604 1256 Phphgf32.exe 42 PID 1604 wrote to memory of 2612 1604 Pnjpdphd.exe 43 PID 1604 wrote to memory of 2612 1604 Pnjpdphd.exe 43 PID 1604 wrote to memory of 2612 1604 Pnjpdphd.exe 43 PID 1604 wrote to memory of 2612 1604 Pnjpdphd.exe 43 PID 2612 wrote to memory of 2208 2612 Qechqj32.exe 44 PID 2612 wrote to memory of 2208 2612 Qechqj32.exe 44 PID 2612 wrote to memory of 2208 2612 Qechqj32.exe 44 PID 2612 wrote to memory of 2208 2612 Qechqj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\daeb4fd16acfcaef07a0f01bee1263a0N.exe"C:\Users\Admin\AppData\Local\Temp\daeb4fd16acfcaef07a0f01bee1263a0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ocpfmd32.exeC:\Windows\system32\Ocpfmd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Phknlfem.exeC:\Windows\system32\Phknlfem.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Akejdp32.exeC:\Windows\system32\Akejdp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Aeokdn32.exeC:\Windows\system32\Aeokdn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Ahbqliap.exeC:\Windows\system32\Ahbqliap.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Aolihc32.exeC:\Windows\system32\Aolihc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Aefaemqj.exeC:\Windows\system32\Aefaemqj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe33⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Behnkm32.exeC:\Windows\system32\Behnkm32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe41⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Bdbdgh32.exeC:\Windows\system32\Bdbdgh32.exe43⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe45⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Cgcmiclk.exeC:\Windows\system32\Cgcmiclk.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Chdjpl32.exeC:\Windows\system32\Chdjpl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe48⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe56⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Dcgmgh32.exeC:\Windows\system32\Dcgmgh32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe67⤵PID:2180
-
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Dkihli32.exeC:\Windows\system32\Dkihli32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe70⤵PID:2184
-
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe71⤵PID:2380
-
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Efaiobkc.exeC:\Windows\system32\Efaiobkc.exe73⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe75⤵PID:2080
-
C:\Windows\SysWOW64\Eibbqmhd.exeC:\Windows\system32\Eibbqmhd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe80⤵PID:2532
-
C:\Windows\SysWOW64\Ehgoaiml.exeC:\Windows\system32\Ehgoaiml.exe81⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe82⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe83⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe85⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Ejhhcdjm.exeC:\Windows\system32\Ejhhcdjm.exe86⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe87⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe89⤵PID:2868
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe91⤵PID:2952
-
C:\Windows\SysWOW64\Fmknko32.exeC:\Windows\system32\Fmknko32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Fdefgimi.exeC:\Windows\system32\Fdefgimi.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe94⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Fplgljbm.exeC:\Windows\system32\Fplgljbm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Fblpnepn.exeC:\Windows\system32\Fblpnepn.exe98⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe99⤵PID:844
-
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe100⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Gdpikmci.exeC:\Windows\system32\Gdpikmci.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe103⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Goemhfco.exeC:\Windows\system32\Goemhfco.exe104⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe105⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe106⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Gddbfm32.exeC:\Windows\system32\Gddbfm32.exe107⤵PID:2696
-
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:740 -
C:\Windows\SysWOW64\Gkojcgga.exeC:\Windows\system32\Gkojcgga.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe112⤵PID:780
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe113⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Hpnpam32.exeC:\Windows\system32\Hpnpam32.exe114⤵PID:1860
-
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe117⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Hgjdcghp.exeC:\Windows\system32\Hgjdcghp.exe118⤵PID:2200
-
C:\Windows\SysWOW64\Hpbilmop.exeC:\Windows\system32\Hpbilmop.exe119⤵PID:2888
-
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Hhnnpolk.exeC:\Windows\system32\Hhnnpolk.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-