Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe
Resource
win10v2004-20240802-en
General
-
Target
c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe
-
Size
93KB
-
MD5
befa1c54649aae1b2058e01aeb062a4a
-
SHA1
299f79a8bfdef911a25bd25d0f2334baaafe0b7d
-
SHA256
c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e
-
SHA512
a90b710dc4a9ead83c558c21bb62fb4fa4ddc2bf42da34d283bb04338f9e8962a397c26302a70fa74169edd49f2ff67c7de629cd2ca763b1e6397868e5b0defd
-
SSDEEP
1536:x/c7E1GRH/8dY++4XnUpjoLI4mYb+w+lWcqLS6/CTEjiwg58:x0ZRH/8R/UdmI4gWw6aYY58
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heqimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcggef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fedfgejh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kecjmodq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglpdomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkdioh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maanab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gieommdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeaahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilmbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenphjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpacogjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlpbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbcelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ockinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdfmbjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfoihhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aejnfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacibm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onoqfehp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkcfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfllhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efmlqigc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobkfqpo.exe -
Executes dropped EXE 64 IoCs
pid Process 2428 Ffdilo32.exe 2836 Fegjgkla.exe 2064 Fmnahilc.exe 2804 Fbkjap32.exe 2192 Fpokjd32.exe 2648 Fobkfqpo.exe 2596 Fodgkp32.exe 2700 Fenphjei.exe 1616 Gmidlmcd.exe 332 Gdcmig32.exe 2888 Goiafp32.exe 2780 Gagmbkik.exe 1716 Ggdekbgb.exe 2320 Gmnngl32.exe 1128 Gckfpc32.exe 2108 Gieommdc.exe 1532 Gpogiglp.exe 1664 Gcmcebkc.exe 2144 Gigkbm32.exe 2404 Gpacogjm.exe 1680 Ggklka32.exe 1396 Hijhhl32.exe 3060 Hcblqb32.exe 1804 Heqimm32.exe 1560 Hkmaed32.exe 2684 Hcdifa32.exe 2732 Hlmnogkl.exe 1904 Hokjkbkp.exe 2564 Hhcndhap.exe 2884 Honfqb32.exe 2980 Halcmn32.exe 3052 Hhfkihon.exe 1048 Idmlniea.exe 1888 Igkhjdde.exe 2744 Inepgn32.exe 2892 Iqcmcj32.exe 2256 Ingmmn32.exe 1312 Iqfiii32.exe 2628 Iianmlfn.exe 2916 Immjnj32.exe 2944 Ijqjgo32.exe 992 Imogcj32.exe 2088 Ikagogco.exe 1688 Iciopdca.exe 2468 Ifgklp32.exe 1708 Imacijjb.exe 324 Joppeeif.exe 2828 Jfjhbo32.exe 2424 Jelhmlgm.exe 1968 Jkfpjf32.exe 2584 Jnemfa32.exe 1784 Jacibm32.exe 1180 Jgmaog32.exe 3004 Jkimpfmg.exe 2764 Jbcelp32.exe 796 Jeaahk32.exe 1644 Jcdadhjb.exe 1836 Jkkjeeke.exe 1960 Jjnjqb32.exe 3036 Jmlfmn32.exe 988 Jahbmlil.exe 1776 Jcfoihhp.exe 608 Jfekec32.exe 2080 Jnlbgq32.exe -
Loads dropped DLL 64 IoCs
pid Process 3016 c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe 3016 c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe 2428 Ffdilo32.exe 2428 Ffdilo32.exe 2836 Fegjgkla.exe 2836 Fegjgkla.exe 2064 Fmnahilc.exe 2064 Fmnahilc.exe 2804 Fbkjap32.exe 2804 Fbkjap32.exe 2192 Fpokjd32.exe 2192 Fpokjd32.exe 2648 Fobkfqpo.exe 2648 Fobkfqpo.exe 2596 Fodgkp32.exe 2596 Fodgkp32.exe 2700 Fenphjei.exe 2700 Fenphjei.exe 1616 Gmidlmcd.exe 1616 Gmidlmcd.exe 332 Gdcmig32.exe 332 Gdcmig32.exe 2888 Goiafp32.exe 2888 Goiafp32.exe 2780 Gagmbkik.exe 2780 Gagmbkik.exe 1716 Ggdekbgb.exe 1716 Ggdekbgb.exe 2320 Gmnngl32.exe 2320 Gmnngl32.exe 1128 Gckfpc32.exe 1128 Gckfpc32.exe 2108 Gieommdc.exe 2108 Gieommdc.exe 1532 Gpogiglp.exe 1532 Gpogiglp.exe 1664 Gcmcebkc.exe 1664 Gcmcebkc.exe 2144 Gigkbm32.exe 2144 Gigkbm32.exe 2404 Gpacogjm.exe 2404 Gpacogjm.exe 1680 Ggklka32.exe 1680 Ggklka32.exe 1396 Hijhhl32.exe 1396 Hijhhl32.exe 3060 Hcblqb32.exe 3060 Hcblqb32.exe 1804 Heqimm32.exe 1804 Heqimm32.exe 1560 Hkmaed32.exe 1560 Hkmaed32.exe 2684 Hcdifa32.exe 2684 Hcdifa32.exe 2732 Hlmnogkl.exe 2732 Hlmnogkl.exe 1904 Hokjkbkp.exe 1904 Hokjkbkp.exe 2564 Hhcndhap.exe 2564 Hhcndhap.exe 2884 Honfqb32.exe 2884 Honfqb32.exe 2980 Halcmn32.exe 2980 Halcmn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Imacijjb.exe Ifgklp32.exe File created C:\Windows\SysWOW64\Ldkdckff.exe Lalhgogb.exe File created C:\Windows\SysWOW64\Cpgecq32.exe Cnhhge32.exe File created C:\Windows\SysWOW64\Fjkhdlkp.dll Ggklka32.exe File created C:\Windows\SysWOW64\Ncnjeh32.exe Nqpmimbe.exe File opened for modification C:\Windows\SysWOW64\Bhpqcpkm.exe Beadgdli.exe File created C:\Windows\SysWOW64\Mfeilp32.dll Keango32.exe File opened for modification C:\Windows\SysWOW64\Qbobaf32.exe Qjgjpi32.exe File opened for modification C:\Windows\SysWOW64\Bikcbc32.exe Baclaf32.exe File opened for modification C:\Windows\SysWOW64\Pcdldknm.exe Plndcmmj.exe File created C:\Windows\SysWOW64\Oodjjign.exe Omfnnnhj.exe File created C:\Windows\SysWOW64\Kbenacdm.exe Koibpd32.exe File opened for modification C:\Windows\SysWOW64\Mhdpnm32.exe Meecaa32.exe File created C:\Windows\SysWOW64\Oqmmbqgd.exe Objmgd32.exe File created C:\Windows\SysWOW64\Pncjad32.exe Pflbpg32.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Befnbd32.exe File created C:\Windows\SysWOW64\Qgfhapbi.dll Dcjjkkji.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Lkifkdjm.exe File created C:\Windows\SysWOW64\Comhgndh.dll Onoqfehp.exe File created C:\Windows\SysWOW64\Bihgmdih.exe Bemkle32.exe File created C:\Windows\SysWOW64\Bhbmip32.exe Bahelebm.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Fnjnkkbk.exe File opened for modification C:\Windows\SysWOW64\Imogcj32.exe Ijqjgo32.exe File created C:\Windows\SysWOW64\Hclmphpn.dll Clnehado.exe File opened for modification C:\Windows\SysWOW64\Dhdfmbjc.exe Cffjagko.exe File created C:\Windows\SysWOW64\Oomjld32.dll Emdhhdqb.exe File created C:\Windows\SysWOW64\Ffdokdko.dll Koibpd32.exe File opened for modification C:\Windows\SysWOW64\Mneaacno.exe Mkgeehnl.exe File created C:\Windows\SysWOW64\Aeackjhh.dll Efmlqigc.exe File opened for modification C:\Windows\SysWOW64\Llpoohik.exe Lhdcojaa.exe File opened for modification C:\Windows\SysWOW64\Pmhgba32.exe Pjjkfe32.exe File created C:\Windows\SysWOW64\Inipeafi.dll Fenphjei.exe File opened for modification C:\Windows\SysWOW64\Jkkjeeke.exe Jcdadhjb.exe File created C:\Windows\SysWOW64\Hcggbimn.dll Kbbakc32.exe File created C:\Windows\SysWOW64\Njhbabif.exe Ncnjeh32.exe File created C:\Windows\SysWOW64\Epfbllkc.dll Oqkpmaif.exe File opened for modification C:\Windows\SysWOW64\Bemkle32.exe Abnopj32.exe File opened for modification C:\Windows\SysWOW64\Hhfkihon.exe Halcmn32.exe File created C:\Windows\SysWOW64\Mlglpa32.dll Miclhpjp.exe File created C:\Windows\SysWOW64\Pefhlcdk.exe Pfchqf32.exe File created C:\Windows\SysWOW64\Cffjagko.exe Cbjnqh32.exe File opened for modification C:\Windows\SysWOW64\Oqojhp32.exe Onamle32.exe File created C:\Windows\SysWOW64\Pjcpccaf.dll Qaablcej.exe File created C:\Windows\SysWOW64\Ccqhdmbc.exe Cpbkhabp.exe File created C:\Windows\SysWOW64\Egbigm32.dll Dlpbna32.exe File created C:\Windows\SysWOW64\Dglpdomh.exe Dhiphb32.exe File opened for modification C:\Windows\SysWOW64\Ppdfimji.exe Pncjad32.exe File created C:\Windows\SysWOW64\Olqdoelc.dll Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Kmclmm32.exe Kfidqb32.exe File created C:\Windows\SysWOW64\Nanhfpff.dll Llpoohik.exe File opened for modification C:\Windows\SysWOW64\Ammmlcgi.exe Ajnqphhe.exe File opened for modification C:\Windows\SysWOW64\Donojm32.exe Dlpbna32.exe File created C:\Windows\SysWOW64\Bakbgd32.dll c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe File created C:\Windows\SysWOW64\Fobkfqpo.exe Fpokjd32.exe File created C:\Windows\SysWOW64\Pidaba32.exe Pehebbbh.exe File created C:\Windows\SysWOW64\Baclaf32.exe Boeoek32.exe File created C:\Windows\SysWOW64\Fpkljm32.dll Einebddd.exe File created C:\Windows\SysWOW64\Iahbkogl.dll Bceeqi32.exe File opened for modification C:\Windows\SysWOW64\Ccqhdmbc.exe Cpbkhabp.exe File created C:\Windows\SysWOW64\Panfjh32.dll Ecjgio32.exe File created C:\Windows\SysWOW64\Hjhlmfio.dll Honfqb32.exe File created C:\Windows\SysWOW64\Idfejc32.dll Immjnj32.exe File opened for modification C:\Windows\SysWOW64\Lolofd32.exe Khagijcd.exe File opened for modification C:\Windows\SysWOW64\Pgibdjln.exe Pcnfdl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4588 4564 WerFault.exe 339 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpokjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndafcmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkhjdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koibpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpqcpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciopdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keoabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmmbqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaofgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbkhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnhpdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehebbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeaahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clilmbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmnogkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honfqb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdokfc32.dll" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdddneh.dll" Fmnahilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koibpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohaaaf.dll" Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnpf32.dll" Omfnnnhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaablcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Appbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befaceaa.dll" Imacijjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mecglbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofbagcb.dll" Nhkbmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagag32.dll" Ajnqphhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggoekd32.dll" Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbifkd.dll" Heqimm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqcmcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nladco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiahnnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbjifgcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldbfo32.dll" Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeelon32.dll" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacgfd32.dll" Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjkhlkg.dll" Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngpcohbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijqjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlboca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klalgq32.dll" Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofobgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhlopf.dll" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pflbpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Donojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Efmlqigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maflig32.dll" Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjjki32.dll" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifijkq32.dll" Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnmoiqo.dll" Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdkpjd.dll" Mneaacno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldainid.dll" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkbeqfel.dll" Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfoihhp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2428 3016 c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe 30 PID 3016 wrote to memory of 2428 3016 c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe 30 PID 3016 wrote to memory of 2428 3016 c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe 30 PID 3016 wrote to memory of 2428 3016 c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe 30 PID 2428 wrote to memory of 2836 2428 Ffdilo32.exe 31 PID 2428 wrote to memory of 2836 2428 Ffdilo32.exe 31 PID 2428 wrote to memory of 2836 2428 Ffdilo32.exe 31 PID 2428 wrote to memory of 2836 2428 Ffdilo32.exe 31 PID 2836 wrote to memory of 2064 2836 Fegjgkla.exe 32 PID 2836 wrote to memory of 2064 2836 Fegjgkla.exe 32 PID 2836 wrote to memory of 2064 2836 Fegjgkla.exe 32 PID 2836 wrote to memory of 2064 2836 Fegjgkla.exe 32 PID 2064 wrote to memory of 2804 2064 Fmnahilc.exe 33 PID 2064 wrote to memory of 2804 2064 Fmnahilc.exe 33 PID 2064 wrote to memory of 2804 2064 Fmnahilc.exe 33 PID 2064 wrote to memory of 2804 2064 Fmnahilc.exe 33 PID 2804 wrote to memory of 2192 2804 Fbkjap32.exe 34 PID 2804 wrote to memory of 2192 2804 Fbkjap32.exe 34 PID 2804 wrote to memory of 2192 2804 Fbkjap32.exe 34 PID 2804 wrote to memory of 2192 2804 Fbkjap32.exe 34 PID 2192 wrote to memory of 2648 2192 Fpokjd32.exe 35 PID 2192 wrote to memory of 2648 2192 Fpokjd32.exe 35 PID 2192 wrote to memory of 2648 2192 Fpokjd32.exe 35 PID 2192 wrote to memory of 2648 2192 Fpokjd32.exe 35 PID 2648 wrote to memory of 2596 2648 Fobkfqpo.exe 36 PID 2648 wrote to memory of 2596 2648 Fobkfqpo.exe 36 PID 2648 wrote to memory of 2596 2648 Fobkfqpo.exe 36 PID 2648 wrote to memory of 2596 2648 Fobkfqpo.exe 36 PID 2596 wrote to memory of 2700 2596 Fodgkp32.exe 37 PID 2596 wrote to memory of 2700 2596 Fodgkp32.exe 37 PID 2596 wrote to memory of 2700 2596 Fodgkp32.exe 37 PID 2596 wrote to memory of 2700 2596 Fodgkp32.exe 37 PID 2700 wrote to memory of 1616 2700 Fenphjei.exe 38 PID 2700 wrote to memory of 1616 2700 Fenphjei.exe 38 PID 2700 wrote to memory of 1616 2700 Fenphjei.exe 38 PID 2700 wrote to memory of 1616 2700 Fenphjei.exe 38 PID 1616 wrote to memory of 332 1616 Gmidlmcd.exe 39 PID 1616 wrote to memory of 332 1616 Gmidlmcd.exe 39 PID 1616 wrote to memory of 332 1616 Gmidlmcd.exe 39 PID 1616 wrote to memory of 332 1616 Gmidlmcd.exe 39 PID 332 wrote to memory of 2888 332 Gdcmig32.exe 40 PID 332 wrote to memory of 2888 332 Gdcmig32.exe 40 PID 332 wrote to memory of 2888 332 Gdcmig32.exe 40 PID 332 wrote to memory of 2888 332 Gdcmig32.exe 40 PID 2888 wrote to memory of 2780 2888 Goiafp32.exe 41 PID 2888 wrote to memory of 2780 2888 Goiafp32.exe 41 PID 2888 wrote to memory of 2780 2888 Goiafp32.exe 41 PID 2888 wrote to memory of 2780 2888 Goiafp32.exe 41 PID 2780 wrote to memory of 1716 2780 Gagmbkik.exe 42 PID 2780 wrote to memory of 1716 2780 Gagmbkik.exe 42 PID 2780 wrote to memory of 1716 2780 Gagmbkik.exe 42 PID 2780 wrote to memory of 1716 2780 Gagmbkik.exe 42 PID 1716 wrote to memory of 2320 1716 Ggdekbgb.exe 43 PID 1716 wrote to memory of 2320 1716 Ggdekbgb.exe 43 PID 1716 wrote to memory of 2320 1716 Ggdekbgb.exe 43 PID 1716 wrote to memory of 2320 1716 Ggdekbgb.exe 43 PID 2320 wrote to memory of 1128 2320 Gmnngl32.exe 44 PID 2320 wrote to memory of 1128 2320 Gmnngl32.exe 44 PID 2320 wrote to memory of 1128 2320 Gmnngl32.exe 44 PID 2320 wrote to memory of 1128 2320 Gmnngl32.exe 44 PID 1128 wrote to memory of 2108 1128 Gckfpc32.exe 45 PID 1128 wrote to memory of 2108 1128 Gckfpc32.exe 45 PID 1128 wrote to memory of 2108 1128 Gckfpc32.exe 45 PID 1128 wrote to memory of 2108 1128 Gckfpc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe"C:\Users\Admin\AppData\Local\Temp\c312a30fffb4f17d974966cdc0e4a04424012aef01fa4c97407c7a7a6d0ebf4e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe34⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe36⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe38⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe39⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe40⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe43⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe44⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe48⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe49⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe50⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe54⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe59⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe61⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe62⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe64⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe65⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe66⤵PID:1872
-
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe67⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe69⤵PID:1152
-
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe70⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe72⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe73⤵PID:3040
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe74⤵PID:2772
-
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe75⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe76⤵PID:2360
-
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe77⤵PID:2712
-
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe78⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe79⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe80⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe82⤵PID:1908
-
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe85⤵PID:2548
-
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe86⤵PID:2588
-
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe88⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe89⤵PID:1376
-
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe90⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe91⤵PID:1852
-
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe92⤵PID:928
-
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe93⤵PID:1524
-
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe96⤵PID:2708
-
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe97⤵PID:2620
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe98⤵PID:1856
-
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe100⤵PID:2852
-
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe101⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe102⤵PID:408
-
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe103⤵PID:2452
-
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe104⤵PID:1696
-
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe105⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe106⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe110⤵PID:2572
-
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe112⤵PID:1468
-
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe114⤵PID:812
-
C:\Windows\SysWOW64\Mkdioh32.exeC:\Windows\system32\Mkdioh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe116⤵PID:768
-
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe122⤵PID:3028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-