Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 07:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6a036c520e69e5b004704a95c14dbe0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f6a036c520e69e5b004704a95c14dbe0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f6a036c520e69e5b004704a95c14dbe0N.exe
-
Size
391KB
-
MD5
f6a036c520e69e5b004704a95c14dbe0
-
SHA1
46c96d112efa88c90ab29a96c9d911595b9cb284
-
SHA256
df49ac50d71e0d8d2b2f4cca1158a7e5037b2814cfa72804cb9e7af871af5253
-
SHA512
af689c413f20503a5f60fec9c4c4f6d9e824678d30e30df2e282a69f926df825ff3ae86a60f99d751f9f60d62368a20f04faea2b003c81ccf72cc413dc6cb621
-
SSDEEP
6144:ZVKMkSi9jaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL:ZHkSGmNtuhUNP3cOK3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkehhlef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggabhmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjlaqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coofoghn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edenlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdldmokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffomjgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpphlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folknlae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgoknohj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joomnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmdgqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpnogmbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhchlcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ialpfeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Janijh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggabhmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglhcihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eljihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqmgbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaklei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bibagmhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkmao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmkipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hchcmnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhjok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcbpbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffnpdip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbdfoiki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdeaohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmkmao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnfekdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfknpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bglhcihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janijh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eafapd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndedhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" f6a036c520e69e5b004704a95c14dbe0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okciddnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmiqlpge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojmogak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijfadkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcohih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdldmokn.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Obhdpaqm.exe 2364 Odiagj32.exe 2712 Okciddnh.exe 2692 Odnjbibf.exe 2804 Opdkgj32.exe 2764 Onhkan32.exe 2632 Oecpeqdo.exe 1660 Ppidbidd.exe 2124 Pcgqoech.exe 2908 Pjdeaohb.exe 2872 Pcljjd32.exe 2876 Pldobjec.exe 3000 Pkjkdfjk.exe 1732 Pqfdlmic.exe 2760 Qnkdeagl.exe 2120 Qcgmnh32.exe 2380 Ageedflj.exe 1700 Ajcbpbkn.exe 472 Ajfoea32.exe 1472 Amdkam32.exe 2652 Ajhkka32.exe 308 Amgggm32.exe 652 Ainhln32.exe 1568 Afaieb32.exe 1268 Aediaoae.exe 2188 Bojmogak.exe 2240 Bibagmhk.exe 2720 Bnojpdfb.exe 2852 Bamfloef.exe 2588 Bmdgqp32.exe 2568 Bfmlif32.exe 108 Bndckc32.exe 2388 Bglhcihn.exe 2176 Bjjdpdga.exe 888 Bmiqlpge.exe 1648 Cfaedeme.exe 2856 Cmkmao32.exe 2892 Cefbfa32.exe 2944 Cmnjgo32.exe 1300 Coofoghn.exe 2456 Cffnpdip.exe 2100 Clcghk32.exe 568 Coacdg32.exe 2956 Ciggap32.exe 2096 Cdphbm32.exe 2016 Clgpckcb.exe 2936 Ckjqog32.exe 876 Dadikaaj.exe 2516 Dhnahl32.exe 2708 Dmkipb32.exe 1056 Ddeammok.exe 2572 Dgcnihnn.exe 2740 Dmmffbek.exe 2584 Dplbbndo.exe 2616 Dgfkoh32.exe 1128 Didgkc32.exe 2284 Dpnogmbl.exe 2924 Dcmkciap.exe 1184 Dekgpdqc.exe 1368 Dmbpaa32.exe 1704 Dpqlmm32.exe 2436 Dcohih32.exe 1088 Eiipfbgj.exe 1532 Elgmbnfn.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 f6a036c520e69e5b004704a95c14dbe0N.exe 2260 f6a036c520e69e5b004704a95c14dbe0N.exe 3040 Obhdpaqm.exe 3040 Obhdpaqm.exe 2364 Odiagj32.exe 2364 Odiagj32.exe 2712 Okciddnh.exe 2712 Okciddnh.exe 2692 Odnjbibf.exe 2692 Odnjbibf.exe 2804 Opdkgj32.exe 2804 Opdkgj32.exe 2764 Onhkan32.exe 2764 Onhkan32.exe 2632 Oecpeqdo.exe 2632 Oecpeqdo.exe 1660 Ppidbidd.exe 1660 Ppidbidd.exe 2124 Pcgqoech.exe 2124 Pcgqoech.exe 2908 Pjdeaohb.exe 2908 Pjdeaohb.exe 2872 Pcljjd32.exe 2872 Pcljjd32.exe 2876 Pldobjec.exe 2876 Pldobjec.exe 3000 Pkjkdfjk.exe 3000 Pkjkdfjk.exe 1732 Pqfdlmic.exe 1732 Pqfdlmic.exe 2760 Qnkdeagl.exe 2760 Qnkdeagl.exe 2120 Qcgmnh32.exe 2120 Qcgmnh32.exe 2380 Ageedflj.exe 2380 Ageedflj.exe 1700 Ajcbpbkn.exe 1700 Ajcbpbkn.exe 472 Ajfoea32.exe 472 Ajfoea32.exe 1472 Amdkam32.exe 1472 Amdkam32.exe 2652 Ajhkka32.exe 2652 Ajhkka32.exe 308 Amgggm32.exe 308 Amgggm32.exe 652 Ainhln32.exe 652 Ainhln32.exe 1568 Afaieb32.exe 1568 Afaieb32.exe 1268 Aediaoae.exe 1268 Aediaoae.exe 2188 Bojmogak.exe 2188 Bojmogak.exe 2240 Bibagmhk.exe 2240 Bibagmhk.exe 2720 Bnojpdfb.exe 2720 Bnojpdfb.exe 2852 Bamfloef.exe 2852 Bamfloef.exe 2588 Bmdgqp32.exe 2588 Bmdgqp32.exe 2568 Bfmlif32.exe 2568 Bfmlif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Coacdg32.exe Clcghk32.exe File opened for modification C:\Windows\SysWOW64\Hffpiikm.exe Hchcmnlj.exe File created C:\Windows\SysWOW64\Nboohcij.dll Inmdjjok.exe File created C:\Windows\SysWOW64\Cgppnnln.dll Amgggm32.exe File created C:\Windows\SysWOW64\Geolio32.dll Hpodbo32.exe File opened for modification C:\Windows\SysWOW64\Eklicjkf.exe Eljihn32.exe File opened for modification C:\Windows\SysWOW64\Hfkidh32.exe Hbomdjoo.exe File created C:\Windows\SysWOW64\Lmphlhmc.dll Ffdgef32.exe File created C:\Windows\SysWOW64\Fnfekdpl.exe Ffomjgoj.exe File opened for modification C:\Windows\SysWOW64\Bmiqlpge.exe Bjjdpdga.exe File opened for modification C:\Windows\SysWOW64\Eccadhkh.exe Eklicjkf.exe File created C:\Windows\SysWOW64\Enmbeehg.exe Ellfmm32.exe File created C:\Windows\SysWOW64\Gfippego.exe Gbmdpg32.exe File created C:\Windows\SysWOW64\Hpaaho32.exe Higikdhn.exe File created C:\Windows\SysWOW64\Acmlqg32.dll Bamfloef.exe File created C:\Windows\SysWOW64\Pdpfpofk.dll Eoeiniea.exe File opened for modification C:\Windows\SysWOW64\Eljihn32.exe Eikmkbeg.exe File opened for modification C:\Windows\SysWOW64\Janijh32.exe Joomnm32.exe File created C:\Windows\SysWOW64\Gcalcoom.dll Joomnm32.exe File opened for modification C:\Windows\SysWOW64\Cdphbm32.exe Ciggap32.exe File created C:\Windows\SysWOW64\Eakkkdnm.exe Enpoje32.exe File opened for modification C:\Windows\SysWOW64\Ehechn32.exe Eakkkdnm.exe File created C:\Windows\SysWOW64\Gjmbohhl.exe Gccjbo32.exe File created C:\Windows\SysWOW64\Glfmnp32.dll Cdphbm32.exe File created C:\Windows\SysWOW64\Clcghk32.exe Cffnpdip.exe File opened for modification C:\Windows\SysWOW64\Dadikaaj.exe Ckjqog32.exe File created C:\Windows\SysWOW64\Dgfkoh32.exe Dplbbndo.exe File opened for modification C:\Windows\SysWOW64\Dgfkoh32.exe Dplbbndo.exe File created C:\Windows\SysWOW64\Dmbpaa32.exe Dekgpdqc.exe File opened for modification C:\Windows\SysWOW64\Gaigab32.exe Gnkkeg32.exe File created C:\Windows\SysWOW64\Hnhjok32.exe Hljnbo32.exe File created C:\Windows\SysWOW64\Bmiimabd.dll Ainhln32.exe File created C:\Windows\SysWOW64\Hdiekq32.dll Kpoegc32.exe File opened for modification C:\Windows\SysWOW64\Enmbeehg.exe Ellfmm32.exe File opened for modification C:\Windows\SysWOW64\Fndhed32.exe Fjimefie.exe File created C:\Windows\SysWOW64\Jmmloeec.dll Fffckf32.exe File created C:\Windows\SysWOW64\Gccjbo32.exe Gqenfc32.exe File opened for modification C:\Windows\SysWOW64\Lfnkejeg.exe Lbbodk32.exe File opened for modification C:\Windows\SysWOW64\Ajcbpbkn.exe Ageedflj.exe File created C:\Windows\SysWOW64\Ffiedlhj.dll Dekgpdqc.exe File created C:\Windows\SysWOW64\Efahad32.dll Giiibqdp.exe File opened for modification C:\Windows\SysWOW64\Ieepad32.exe Ibfcei32.exe File created C:\Windows\SysWOW64\Onhkan32.exe Opdkgj32.exe File created C:\Windows\SysWOW64\Fhbcaa32.exe Ffdgef32.exe File opened for modification C:\Windows\SysWOW64\Hnhjok32.exe Hljnbo32.exe File opened for modification C:\Windows\SysWOW64\Kgoknohj.exe Kdaoacif.exe File created C:\Windows\SysWOW64\Gongob32.dll Kdaoacif.exe File opened for modification C:\Windows\SysWOW64\Pkjkdfjk.exe Pldobjec.exe File opened for modification C:\Windows\SysWOW64\Higikdhn.exe Hcjpcmjg.exe File opened for modification C:\Windows\SysWOW64\Hpaaho32.exe Higikdhn.exe File opened for modification C:\Windows\SysWOW64\Hbajjiml.exe Hlhamp32.exe File created C:\Windows\SysWOW64\Dadikaaj.exe Ckjqog32.exe File opened for modification C:\Windows\SysWOW64\Pjdeaohb.exe Pcgqoech.exe File opened for modification C:\Windows\SysWOW64\Clcghk32.exe Cffnpdip.exe File created C:\Windows\SysWOW64\Ehechn32.exe Eakkkdnm.exe File created C:\Windows\SysWOW64\Cgockh32.dll Kaeokg32.exe File created C:\Windows\SysWOW64\Dkminf32.dll Kfiajj32.exe File created C:\Windows\SysWOW64\Ohgopl32.dll Opdkgj32.exe File created C:\Windows\SysWOW64\Jnbccn32.dll Enblpe32.exe File opened for modification C:\Windows\SysWOW64\Ialpfeno.exe Inmdjjok.exe File created C:\Windows\SysWOW64\Iploja32.dll Jllggbde.exe File opened for modification C:\Windows\SysWOW64\Joomnm32.exe Jlaqba32.exe File opened for modification C:\Windows\SysWOW64\Eadejede.exe Eoeiniea.exe File created C:\Windows\SysWOW64\Bnojpdfb.exe Bibagmhk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3744 3720 WerFault.exe 222 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedlph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadikaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfkoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinolcbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnjbibf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigllafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japfphle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okciddnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikmkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehechn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffpiikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqmgbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabbehjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfknpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqfdlmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmdjjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfiajj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjpcmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpflblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnogmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpphlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbcaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfippego.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieepad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppidbidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnojpdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfekdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndedhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageedflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoeiniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfcei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcnihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmffbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmbeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopqoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeiekgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folknlae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkehhlef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlaqba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgmbnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgddin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goohckob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfajgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6a036c520e69e5b004704a95c14dbe0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidledja.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimilgnj.dll" Ialpfeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaeokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnojpdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmkipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfjeppd.dll" Dgcnihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eadejede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjmbohhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmiqlpge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpqlmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hinolcbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikinjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amgggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfifc32.dll" Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coacdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhdigjp.dll" Eafapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folknlae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opdkgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enmbeehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbmdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieepad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mddigg32.dll" Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joomnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jngfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbliiipi.dll" Kgoknohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Higikdhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjngjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} f6a036c520e69e5b004704a95c14dbe0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhpflblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqenfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcljjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhofa32.dll" Bojmogak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egegnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkhfhaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcohih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennabb32.dll" Higikdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllpfdfe.dll" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joafii32.dll" Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajfoea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elgmbnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffdgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daonhboj.dll" Hbdfoiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpaaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neilfn32.dll" Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlaqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkjkdfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfmnp32.dll" Cdphbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eccadhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqnahdk.dll" Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffnpdip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecmji32.dll" Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgaphb32.dll" Hnhjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calgci32.dll" Kfknpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmepiqlp.dll" Dmkipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eikmkbeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eafapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifqec32.dll" Eomoohoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijfadkbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibafhmph.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3040 2260 f6a036c520e69e5b004704a95c14dbe0N.exe 29 PID 2260 wrote to memory of 3040 2260 f6a036c520e69e5b004704a95c14dbe0N.exe 29 PID 2260 wrote to memory of 3040 2260 f6a036c520e69e5b004704a95c14dbe0N.exe 29 PID 2260 wrote to memory of 3040 2260 f6a036c520e69e5b004704a95c14dbe0N.exe 29 PID 3040 wrote to memory of 2364 3040 Obhdpaqm.exe 30 PID 3040 wrote to memory of 2364 3040 Obhdpaqm.exe 30 PID 3040 wrote to memory of 2364 3040 Obhdpaqm.exe 30 PID 3040 wrote to memory of 2364 3040 Obhdpaqm.exe 30 PID 2364 wrote to memory of 2712 2364 Odiagj32.exe 31 PID 2364 wrote to memory of 2712 2364 Odiagj32.exe 31 PID 2364 wrote to memory of 2712 2364 Odiagj32.exe 31 PID 2364 wrote to memory of 2712 2364 Odiagj32.exe 31 PID 2712 wrote to memory of 2692 2712 Okciddnh.exe 32 PID 2712 wrote to memory of 2692 2712 Okciddnh.exe 32 PID 2712 wrote to memory of 2692 2712 Okciddnh.exe 32 PID 2712 wrote to memory of 2692 2712 Okciddnh.exe 32 PID 2692 wrote to memory of 2804 2692 Odnjbibf.exe 33 PID 2692 wrote to memory of 2804 2692 Odnjbibf.exe 33 PID 2692 wrote to memory of 2804 2692 Odnjbibf.exe 33 PID 2692 wrote to memory of 2804 2692 Odnjbibf.exe 33 PID 2804 wrote to memory of 2764 2804 Opdkgj32.exe 34 PID 2804 wrote to memory of 2764 2804 Opdkgj32.exe 34 PID 2804 wrote to memory of 2764 2804 Opdkgj32.exe 34 PID 2804 wrote to memory of 2764 2804 Opdkgj32.exe 34 PID 2764 wrote to memory of 2632 2764 Onhkan32.exe 35 PID 2764 wrote to memory of 2632 2764 Onhkan32.exe 35 PID 2764 wrote to memory of 2632 2764 Onhkan32.exe 35 PID 2764 wrote to memory of 2632 2764 Onhkan32.exe 35 PID 2632 wrote to memory of 1660 2632 Oecpeqdo.exe 36 PID 2632 wrote to memory of 1660 2632 Oecpeqdo.exe 36 PID 2632 wrote to memory of 1660 2632 Oecpeqdo.exe 36 PID 2632 wrote to memory of 1660 2632 Oecpeqdo.exe 36 PID 1660 wrote to memory of 2124 1660 Ppidbidd.exe 37 PID 1660 wrote to memory of 2124 1660 Ppidbidd.exe 37 PID 1660 wrote to memory of 2124 1660 Ppidbidd.exe 37 PID 1660 wrote to memory of 2124 1660 Ppidbidd.exe 37 PID 2124 wrote to memory of 2908 2124 Pcgqoech.exe 38 PID 2124 wrote to memory of 2908 2124 Pcgqoech.exe 38 PID 2124 wrote to memory of 2908 2124 Pcgqoech.exe 38 PID 2124 wrote to memory of 2908 2124 Pcgqoech.exe 38 PID 2908 wrote to memory of 2872 2908 Pjdeaohb.exe 39 PID 2908 wrote to memory of 2872 2908 Pjdeaohb.exe 39 PID 2908 wrote to memory of 2872 2908 Pjdeaohb.exe 39 PID 2908 wrote to memory of 2872 2908 Pjdeaohb.exe 39 PID 2872 wrote to memory of 2876 2872 Pcljjd32.exe 40 PID 2872 wrote to memory of 2876 2872 Pcljjd32.exe 40 PID 2872 wrote to memory of 2876 2872 Pcljjd32.exe 40 PID 2872 wrote to memory of 2876 2872 Pcljjd32.exe 40 PID 2876 wrote to memory of 3000 2876 Pldobjec.exe 41 PID 2876 wrote to memory of 3000 2876 Pldobjec.exe 41 PID 2876 wrote to memory of 3000 2876 Pldobjec.exe 41 PID 2876 wrote to memory of 3000 2876 Pldobjec.exe 41 PID 3000 wrote to memory of 1732 3000 Pkjkdfjk.exe 42 PID 3000 wrote to memory of 1732 3000 Pkjkdfjk.exe 42 PID 3000 wrote to memory of 1732 3000 Pkjkdfjk.exe 42 PID 3000 wrote to memory of 1732 3000 Pkjkdfjk.exe 42 PID 1732 wrote to memory of 2760 1732 Pqfdlmic.exe 43 PID 1732 wrote to memory of 2760 1732 Pqfdlmic.exe 43 PID 1732 wrote to memory of 2760 1732 Pqfdlmic.exe 43 PID 1732 wrote to memory of 2760 1732 Pqfdlmic.exe 43 PID 2760 wrote to memory of 2120 2760 Qnkdeagl.exe 44 PID 2760 wrote to memory of 2120 2760 Qnkdeagl.exe 44 PID 2760 wrote to memory of 2120 2760 Qnkdeagl.exe 44 PID 2760 wrote to memory of 2120 2760 Qnkdeagl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a036c520e69e5b004704a95c14dbe0N.exe"C:\Users\Admin\AppData\Local\Temp\f6a036c520e69e5b004704a95c14dbe0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Okciddnh.exeC:\Windows\system32\Okciddnh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Opdkgj32.exeC:\Windows\system32\Opdkgj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Bmiqlpge.exeC:\Windows\system32\Bmiqlpge.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe37⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Cmkmao32.exeC:\Windows\system32\Cmkmao32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe40⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Cffnpdip.exeC:\Windows\system32\Cffnpdip.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Clgpckcb.exeC:\Windows\system32\Clgpckcb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Dhnahl32.exeC:\Windows\system32\Dhnahl32.exe50⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Ddeammok.exeC:\Windows\system32\Ddeammok.exe52⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Dmmffbek.exeC:\Windows\system32\Dmmffbek.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Dplbbndo.exeC:\Windows\system32\Dplbbndo.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe57⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Dcmkciap.exeC:\Windows\system32\Dcmkciap.exe59⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe61⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Eiipfbgj.exeC:\Windows\system32\Eiipfbgj.exe64⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe67⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Eklicjkf.exeC:\Windows\system32\Eklicjkf.exe70⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Eccadhkh.exeC:\Windows\system32\Eccadhkh.exe71⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Eafapd32.exeC:\Windows\system32\Eafapd32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Edenlp32.exeC:\Windows\system32\Edenlp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Ellfmm32.exeC:\Windows\system32\Ellfmm32.exe74⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Enmbeehg.exeC:\Windows\system32\Enmbeehg.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Egegnk32.exeC:\Windows\system32\Egegnk32.exe76⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Eomoohoi.exeC:\Windows\system32\Eomoohoi.exe77⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Enpoje32.exeC:\Windows\system32\Enpoje32.exe78⤵
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Eakkkdnm.exeC:\Windows\system32\Eakkkdnm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Ehechn32.exeC:\Windows\system32\Ehechn32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Ekcpdi32.exeC:\Windows\system32\Ekcpdi32.exe81⤵PID:2900
-
C:\Windows\SysWOW64\Enblpe32.exeC:\Windows\system32\Enblpe32.exe82⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Fpphlp32.exeC:\Windows\system32\Fpphlp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Fdldmokn.exeC:\Windows\system32\Fdldmokn.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Fjimefie.exeC:\Windows\system32\Fjimefie.exe85⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Fndhed32.exeC:\Windows\system32\Fndhed32.exe86⤵PID:2780
-
C:\Windows\SysWOW64\Fcaankpf.exeC:\Windows\system32\Fcaankpf.exe87⤵PID:2808
-
C:\Windows\SysWOW64\Ffomjgoj.exeC:\Windows\system32\Ffomjgoj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Fnfekdpl.exeC:\Windows\system32\Fnfekdpl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Fqeagpop.exeC:\Windows\system32\Fqeagpop.exe90⤵PID:2940
-
C:\Windows\SysWOW64\Fgojdj32.exeC:\Windows\system32\Fgojdj32.exe91⤵PID:1500
-
C:\Windows\SysWOW64\Fhpflblk.exeC:\Windows\system32\Fhpflblk.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Fqgnmo32.exeC:\Windows\system32\Fqgnmo32.exe93⤵PID:2036
-
C:\Windows\SysWOW64\Fcfjik32.exeC:\Windows\system32\Fcfjik32.exe94⤵PID:2352
-
C:\Windows\SysWOW64\Ffdgef32.exeC:\Windows\system32\Ffdgef32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Folknlae.exeC:\Windows\system32\Folknlae.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Fffckf32.exeC:\Windows\system32\Fffckf32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Gmqlgppo.exeC:\Windows\system32\Gmqlgppo.exe99⤵PID:1696
-
C:\Windows\SysWOW64\Goohckob.exeC:\Windows\system32\Goohckob.exe100⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Gbmdpg32.exeC:\Windows\system32\Gbmdpg32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Gfippego.exeC:\Windows\system32\Gfippego.exe102⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Gigllafc.exeC:\Windows\system32\Gigllafc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Gkehhlef.exeC:\Windows\system32\Gkehhlef.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Gndedhdj.exeC:\Windows\system32\Gndedhdj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Gqbaqccn.exeC:\Windows\system32\Gqbaqccn.exe106⤵PID:2860
-
C:\Windows\SysWOW64\Giiibqdp.exeC:\Windows\system32\Giiibqdp.exe107⤵
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Gkhenlcd.exeC:\Windows\system32\Gkhenlcd.exe108⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Gnfajgbg.exeC:\Windows\system32\Gnfajgbg.exe109⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Gqenfc32.exeC:\Windows\system32\Gqenfc32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Gccjbo32.exeC:\Windows\system32\Gccjbo32.exe111⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Gjmbohhl.exeC:\Windows\system32\Gjmbohhl.exe112⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Gninpg32.exeC:\Windows\system32\Gninpg32.exe113⤵PID:112
-
C:\Windows\SysWOW64\Gebflaga.exeC:\Windows\system32\Gebflaga.exe114⤵PID:2024
-
C:\Windows\SysWOW64\Ggabhmge.exeC:\Windows\system32\Ggabhmge.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Gnkkeg32.exeC:\Windows\system32\Gnkkeg32.exe116⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Gaigab32.exeC:\Windows\system32\Gaigab32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Hchcmnlj.exeC:\Windows\system32\Hchcmnlj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Hffpiikm.exeC:\Windows\system32\Hffpiikm.exe119⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Hidledja.exeC:\Windows\system32\Hidledja.exe120⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Haldgbkc.exeC:\Windows\system32\Haldgbkc.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-