Analysis
-
max time kernel
142s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 05:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe
-
Size
45KB
-
MD5
36d25cde40af2d404c006765aae92e3b
-
SHA1
648e4406c4fda0b05df5171cf1380b2acf68f40a
-
SHA256
fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4
-
SHA512
7f7c3fb30daed935eb8c59e91e67c0f6ca1a8b66183b2910914aaea64f4b29f70b572ad5c5ebecc39645919e8412574e0dec90c90d227a38f576f1e42009a3da
-
SSDEEP
768:s2fx7hPEZ0Xs3uEglxUjXejXL7Da0WZ9wAmA0g3iX/1H5+:VfzEZ8xg4XPu0WZ93mFg3ipA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlgdecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haiagm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbadcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enomam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbgkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkohanoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaknmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhlaaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeegfkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkpchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgpfjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogldfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caajmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjohbgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecpipck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moecghdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idlgohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miekhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beccgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomaaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfekbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcgppana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egedebgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglkeaqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfoao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egchocif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopeagip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbeqjpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opoocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnlobhne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djahmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadeaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcbol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbilimn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdchifik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdnmda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpjjaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haiagm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidmniqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddidnqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpehje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moecghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngikaijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecabfpff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgnie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkpie32.exe -
Executes dropped EXE 64 IoCs
pid Process 1812 Hhfqejoh.exe 2240 Hkdmaenk.exe 2080 Hejaon32.exe 2576 Hgknffcp.exe 2600 Hobfgcdb.exe 2068 Hpcbol32.exe 2888 Hhkjpi32.exe 2360 Hgnjlfam.exe 672 Hngbhp32.exe 1696 Hpfoekhm.exe 536 Hcdkagga.exe 2628 Hkkcbdhc.exe 2680 Hnjonpgg.exe 1780 Hphljkfk.exe 2400 Hcghffen.exe 2156 Heedbbdb.exe 2860 Hnllcoed.exe 1424 Ipkhpk32.exe 2084 Icidlf32.exe 1588 Igdqmeke.exe 484 Ijcmipjh.exe 2288 Ilaieljl.exe 1028 Iopeagip.exe 928 Ianambhc.exe 1020 Ijeinphf.exe 1328 Ihhjjm32.exe 1784 Icnngeof.exe 1764 Iaqnbb32.exe 2572 Ikibkhla.exe 3000 Iackhb32.exe 2856 Ifngiqlg.exe 2368 Igpcpi32.exe 2332 Iogkaf32.exe 2740 Iqhhin32.exe 2364 Ihopjl32.exe 2432 Jjqlbdog.exe 932 Jbgdcapi.exe 2648 Jciaki32.exe 1300 Jgdmkhnp.exe 1768 Jqmadn32.exe 1796 Jdhmel32.exe 1040 Jcknqicd.exe 3008 Jjefmc32.exe 2076 Jqonjmbn.exe 1788 Jflfbdqe.exe 944 Jijbnppi.exe 1348 Jodkkj32.exe 1440 Jcpglhpo.exe 1320 Jjjohbgl.exe 1680 Jimodo32.exe 2552 Jkklpk32.exe 1324 Jofhqiec.exe 2748 Kfqpmc32.exe 2976 Kecpipck.exe 2392 Kiolio32.exe 2376 Kkmhej32.exe 1008 Koidficq.exe 2660 Kbgqbdbd.exe 2248 Kfcmcckn.exe 2724 Kiaiooja.exe 1136 Kgdijk32.exe 2160 Kpkali32.exe 2904 Knnagehi.exe 2148 Kamncagl.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe 2876 fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe 1812 Hhfqejoh.exe 1812 Hhfqejoh.exe 2240 Hkdmaenk.exe 2240 Hkdmaenk.exe 2080 Hejaon32.exe 2080 Hejaon32.exe 2576 Hgknffcp.exe 2576 Hgknffcp.exe 2600 Hobfgcdb.exe 2600 Hobfgcdb.exe 2068 Hpcbol32.exe 2068 Hpcbol32.exe 2888 Hhkjpi32.exe 2888 Hhkjpi32.exe 2360 Hgnjlfam.exe 2360 Hgnjlfam.exe 672 Hngbhp32.exe 672 Hngbhp32.exe 1696 Hpfoekhm.exe 1696 Hpfoekhm.exe 536 Hcdkagga.exe 536 Hcdkagga.exe 2628 Hkkcbdhc.exe 2628 Hkkcbdhc.exe 2680 Hnjonpgg.exe 2680 Hnjonpgg.exe 1780 Hphljkfk.exe 1780 Hphljkfk.exe 2400 Hcghffen.exe 2400 Hcghffen.exe 2156 Heedbbdb.exe 2156 Heedbbdb.exe 2860 Hnllcoed.exe 2860 Hnllcoed.exe 1424 Ipkhpk32.exe 1424 Ipkhpk32.exe 2084 Icidlf32.exe 2084 Icidlf32.exe 1588 Igdqmeke.exe 1588 Igdqmeke.exe 484 Ijcmipjh.exe 484 Ijcmipjh.exe 2288 Ilaieljl.exe 2288 Ilaieljl.exe 1028 Iopeagip.exe 1028 Iopeagip.exe 928 Ianambhc.exe 928 Ianambhc.exe 1020 Ijeinphf.exe 1020 Ijeinphf.exe 1328 Ihhjjm32.exe 1328 Ihhjjm32.exe 1784 Icnngeof.exe 1784 Icnngeof.exe 1764 Iaqnbb32.exe 1764 Iaqnbb32.exe 2572 Ikibkhla.exe 2572 Ikibkhla.exe 3000 Iackhb32.exe 3000 Iackhb32.exe 2856 Ifngiqlg.exe 2856 Ifngiqlg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fcckjb32.exe Fpgpjdnf.exe File created C:\Windows\SysWOW64\Meieho32.dll Hepdml32.exe File created C:\Windows\SysWOW64\Mfcilj32.dll Bhdpjaga.exe File opened for modification C:\Windows\SysWOW64\Eklgjbca.exe Eligoe32.exe File created C:\Windows\SysWOW64\Madiaabn.dll Ffokan32.exe File opened for modification C:\Windows\SysWOW64\Mhkkjnmo.exe Mihkoa32.exe File created C:\Windows\SysWOW64\Pkglenej.exe Piipibff.exe File created C:\Windows\SysWOW64\Kehidp32.exe Kamncagl.exe File created C:\Windows\SysWOW64\Qcgkeonp.exe Qedjib32.exe File opened for modification C:\Windows\SysWOW64\Clnkdc32.exe Cmkkhfmn.exe File opened for modification C:\Windows\SysWOW64\Ffahgn32.exe Fbflfomj.exe File created C:\Windows\SysWOW64\Pdedejnm.dll Hgknffcp.exe File created C:\Windows\SysWOW64\Hpcbol32.exe Hobfgcdb.exe File created C:\Windows\SysWOW64\Nbghmegj.dll Okbgkk32.exe File created C:\Windows\SysWOW64\Bmahbhei.exe Boohgk32.exe File created C:\Windows\SysWOW64\Dafchi32.exe Dnkggjpj.exe File created C:\Windows\SysWOW64\Nglcbafp.dll Ebfpglkn.exe File created C:\Windows\SysWOW64\Hnmkog32.dll Jchjqc32.exe File opened for modification C:\Windows\SysWOW64\Liohhbno.exe Ljlhme32.exe File opened for modification C:\Windows\SysWOW64\Macpcccp.exe Mbqpgf32.exe File created C:\Windows\SysWOW64\Qjacai32.exe Qfegakmc.exe File created C:\Windows\SysWOW64\Nedmil32.dll Dcjleq32.exe File created C:\Windows\SysWOW64\Chmgna32.dll Oqibjq32.exe File opened for modification C:\Windows\SysWOW64\Bbhgbj32.exe Anlkakqa.exe File opened for modification C:\Windows\SysWOW64\Cadfbi32.exe Coejfn32.exe File created C:\Windows\SysWOW64\Anmbpf32.dll Gibmglep.exe File created C:\Windows\SysWOW64\Fjlpdj32.dll Hgnjlfam.exe File created C:\Windows\SysWOW64\Kgffpk32.exe Kehidp32.exe File created C:\Windows\SysWOW64\Fdkfbo32.dll Cpldjajo.exe File opened for modification C:\Windows\SysWOW64\Efakhk32.exe Ebfpglkn.exe File created C:\Windows\SysWOW64\Eipgonjl.dll Iiiogoac.exe File created C:\Windows\SysWOW64\Nmiapobg.dll Hpfoekhm.exe File opened for modification C:\Windows\SysWOW64\Boohgk32.exe Blplkp32.exe File created C:\Windows\SysWOW64\Llmggi32.dll Idncdgai.exe File created C:\Windows\SysWOW64\Bdkpob32.exe Bamdcf32.exe File created C:\Windows\SysWOW64\Hlebog32.exe Hiffbl32.exe File created C:\Windows\SysWOW64\Oncpmf32.exe Okecak32.exe File created C:\Windows\SysWOW64\Polbemck.exe Oqibjq32.exe File created C:\Windows\SysWOW64\Mfjdgjhi.dll Qcgkeonp.exe File created C:\Windows\SysWOW64\Cjpkoohi.dll Ecabfpff.exe File created C:\Windows\SysWOW64\Lbcclpol.dll Idlgohcl.exe File opened for modification C:\Windows\SysWOW64\Kamncagl.exe Knnagehi.exe File created C:\Windows\SysWOW64\Mafmhcam.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Aapeim32.dll Ooncljom.exe File opened for modification C:\Windows\SysWOW64\Mmlmmdga.exe Mknaahhn.exe File opened for modification C:\Windows\SysWOW64\Nglhghgj.exe Noepfkgh.exe File created C:\Windows\SysWOW64\Pedgbn32.dll Eqklhh32.exe File created C:\Windows\SysWOW64\Abkdaqcl.dll Iqhhin32.exe File opened for modification C:\Windows\SysWOW64\Mahinb32.exe Mmlmmdga.exe File created C:\Windows\SysWOW64\Kaojiqej.exe Knqnmeff.exe File created C:\Windows\SysWOW64\Jlmkdf32.dll Kcpcjl32.exe File created C:\Windows\SysWOW64\Aeommfnf.exe Aflmbj32.exe File opened for modification C:\Windows\SysWOW64\Ahbcda32.exe Aipbidbj.exe File created C:\Windows\SysWOW64\Befhpq32.dll Campbj32.exe File opened for modification C:\Windows\SysWOW64\Ekjjebed.exe Dlgjie32.exe File created C:\Windows\SysWOW64\Fmkdoedg.dll Hnjonpgg.exe File opened for modification C:\Windows\SysWOW64\Heedbbdb.exe Hcghffen.exe File created C:\Windows\SysWOW64\Haiagm32.exe Hojeka32.exe File opened for modification C:\Windows\SysWOW64\Iebmaoed.exe Iccqedfa.exe File created C:\Windows\SysWOW64\Ogigpllh.exe Odkkdqmd.exe File opened for modification C:\Windows\SysWOW64\Ognakk32.exe Ocbekmpi.exe File created C:\Windows\SysWOW64\Bmfamg32.exe Bmfamg32.exe File opened for modification C:\Windows\SysWOW64\Jimodo32.exe Jjjohbgl.exe File opened for modification C:\Windows\SysWOW64\Mkihfi32.exe Mhkkjnmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5324 5196 WerFault.exe 503 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpecddpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdqmeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpfiekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgppana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebccal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmdgmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlkakqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcaanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglkeaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdlpnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caajmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gboolneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijbnppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqfeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkgampo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfgojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqnmeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnpoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbeeppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhnoocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgadeee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blplkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmfamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbdobpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekihh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efakhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjacai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmdoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbanfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaffpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilneef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhial32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbagaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflfbdqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poplqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeagip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnlobhne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmaghc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqdioaqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbpjn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgknffcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahllk32.dll" Pbohmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnnj32.dll" Ebhlmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enecegpg.dll" Dgqokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoanbf32.dll" Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amglom32.dll" Fjhjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcedjdom.dll" Gmklbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjqlbdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poplqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifgeike.dll" Caajmilh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djddbkck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhebij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolpolge.dll" Kbgqbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmaghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okbgkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkoikcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgijop32.dll" Kkmhej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooncljom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjihb32.dll" Ecnbpcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnohbhdp.dll" Fbflfomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhlmnmjc.dll" Lblflgqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabjgoga.dll" Aflmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhhdpoh.dll" Aahkhgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhajc32.dll" Aipbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idncdgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgpe32.dll" Jofhqiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcmbjlm.dll" Ncbilimn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioonfaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfmio32.dll" Ghjjoeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqmadn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbqpgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngblqbj.dll" Enomam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfeke32.dll" Gdgadeee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbaebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioonfaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbbmmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldopgbl.dll" Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhhkhlk.dll" Lldkem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oceaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qahnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheeallp.dll" Bdkpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkpchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmklbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cigkbm32.dll" Ihhjjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onelbfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijmibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfoffmhd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1812 2876 fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe 29 PID 2876 wrote to memory of 1812 2876 fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe 29 PID 2876 wrote to memory of 1812 2876 fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe 29 PID 2876 wrote to memory of 1812 2876 fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe 29 PID 1812 wrote to memory of 2240 1812 Hhfqejoh.exe 30 PID 1812 wrote to memory of 2240 1812 Hhfqejoh.exe 30 PID 1812 wrote to memory of 2240 1812 Hhfqejoh.exe 30 PID 1812 wrote to memory of 2240 1812 Hhfqejoh.exe 30 PID 2240 wrote to memory of 2080 2240 Hkdmaenk.exe 31 PID 2240 wrote to memory of 2080 2240 Hkdmaenk.exe 31 PID 2240 wrote to memory of 2080 2240 Hkdmaenk.exe 31 PID 2240 wrote to memory of 2080 2240 Hkdmaenk.exe 31 PID 2080 wrote to memory of 2576 2080 Hejaon32.exe 32 PID 2080 wrote to memory of 2576 2080 Hejaon32.exe 32 PID 2080 wrote to memory of 2576 2080 Hejaon32.exe 32 PID 2080 wrote to memory of 2576 2080 Hejaon32.exe 32 PID 2576 wrote to memory of 2600 2576 Hgknffcp.exe 33 PID 2576 wrote to memory of 2600 2576 Hgknffcp.exe 33 PID 2576 wrote to memory of 2600 2576 Hgknffcp.exe 33 PID 2576 wrote to memory of 2600 2576 Hgknffcp.exe 33 PID 2600 wrote to memory of 2068 2600 Hobfgcdb.exe 34 PID 2600 wrote to memory of 2068 2600 Hobfgcdb.exe 34 PID 2600 wrote to memory of 2068 2600 Hobfgcdb.exe 34 PID 2600 wrote to memory of 2068 2600 Hobfgcdb.exe 34 PID 2068 wrote to memory of 2888 2068 Hpcbol32.exe 35 PID 2068 wrote to memory of 2888 2068 Hpcbol32.exe 35 PID 2068 wrote to memory of 2888 2068 Hpcbol32.exe 35 PID 2068 wrote to memory of 2888 2068 Hpcbol32.exe 35 PID 2888 wrote to memory of 2360 2888 Hhkjpi32.exe 36 PID 2888 wrote to memory of 2360 2888 Hhkjpi32.exe 36 PID 2888 wrote to memory of 2360 2888 Hhkjpi32.exe 36 PID 2888 wrote to memory of 2360 2888 Hhkjpi32.exe 36 PID 2360 wrote to memory of 672 2360 Hgnjlfam.exe 37 PID 2360 wrote to memory of 672 2360 Hgnjlfam.exe 37 PID 2360 wrote to memory of 672 2360 Hgnjlfam.exe 37 PID 2360 wrote to memory of 672 2360 Hgnjlfam.exe 37 PID 672 wrote to memory of 1696 672 Hngbhp32.exe 38 PID 672 wrote to memory of 1696 672 Hngbhp32.exe 38 PID 672 wrote to memory of 1696 672 Hngbhp32.exe 38 PID 672 wrote to memory of 1696 672 Hngbhp32.exe 38 PID 1696 wrote to memory of 536 1696 Hpfoekhm.exe 39 PID 1696 wrote to memory of 536 1696 Hpfoekhm.exe 39 PID 1696 wrote to memory of 536 1696 Hpfoekhm.exe 39 PID 1696 wrote to memory of 536 1696 Hpfoekhm.exe 39 PID 536 wrote to memory of 2628 536 Hcdkagga.exe 40 PID 536 wrote to memory of 2628 536 Hcdkagga.exe 40 PID 536 wrote to memory of 2628 536 Hcdkagga.exe 40 PID 536 wrote to memory of 2628 536 Hcdkagga.exe 40 PID 2628 wrote to memory of 2680 2628 Hkkcbdhc.exe 41 PID 2628 wrote to memory of 2680 2628 Hkkcbdhc.exe 41 PID 2628 wrote to memory of 2680 2628 Hkkcbdhc.exe 41 PID 2628 wrote to memory of 2680 2628 Hkkcbdhc.exe 41 PID 2680 wrote to memory of 1780 2680 Hnjonpgg.exe 42 PID 2680 wrote to memory of 1780 2680 Hnjonpgg.exe 42 PID 2680 wrote to memory of 1780 2680 Hnjonpgg.exe 42 PID 2680 wrote to memory of 1780 2680 Hnjonpgg.exe 42 PID 1780 wrote to memory of 2400 1780 Hphljkfk.exe 43 PID 1780 wrote to memory of 2400 1780 Hphljkfk.exe 43 PID 1780 wrote to memory of 2400 1780 Hphljkfk.exe 43 PID 1780 wrote to memory of 2400 1780 Hphljkfk.exe 43 PID 2400 wrote to memory of 2156 2400 Hcghffen.exe 44 PID 2400 wrote to memory of 2156 2400 Hcghffen.exe 44 PID 2400 wrote to memory of 2156 2400 Hcghffen.exe 44 PID 2400 wrote to memory of 2156 2400 Hcghffen.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe"C:\Users\Admin\AppData\Local\Temp\fb7be1d27c0a128d86cba4570c722991a874c261e69a520189861927e585b5f4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Ijeinphf.exeC:\Windows\system32\Ijeinphf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe34⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe36⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe38⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe39⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe40⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe42⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe43⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jjefmc32.exeC:\Windows\system32\Jjefmc32.exe44⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe45⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Jflfbdqe.exeC:\Windows\system32\Jflfbdqe.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe48⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe49⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe51⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe52⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe56⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe58⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe60⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe61⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kgdijk32.exeC:\Windows\system32\Kgdijk32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe63⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe66⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Kgffpk32.exeC:\Windows\system32\Kgffpk32.exe67⤵PID:1068
-
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe68⤵PID:936
-
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe70⤵PID:1732
-
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe71⤵PID:2596
-
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe73⤵PID:2956
-
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe74⤵PID:348
-
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe75⤵PID:1608
-
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe76⤵PID:2732
-
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe77⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe78⤵PID:2632
-
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe79⤵PID:2140
-
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe80⤵PID:1748
-
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe82⤵PID:992
-
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe83⤵PID:2120
-
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe84⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe85⤵PID:2824
-
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe86⤵PID:1760
-
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe87⤵PID:900
-
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe88⤵PID:2984
-
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe89⤵PID:2900
-
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe90⤵PID:2528
-
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe91⤵PID:1372
-
C:\Windows\SysWOW64\Lpkmkl32.exeC:\Windows\system32\Lpkmkl32.exe92⤵PID:2672
-
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe93⤵PID:2736
-
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe95⤵PID:2820
-
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe96⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe97⤵PID:1848
-
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe98⤵PID:1584
-
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe99⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe100⤵PID:2508
-
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe101⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe102⤵PID:2700
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe103⤵PID:952
-
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe104⤵PID:1968
-
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe105⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Mhkkjnmo.exeC:\Windows\system32\Mhkkjnmo.exe106⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe107⤵PID:1012
-
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe110⤵PID:2472
-
C:\Windows\SysWOW64\Mdbloobc.exeC:\Windows\system32\Mdbloobc.exe111⤵PID:3032
-
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe112⤵PID:2236
-
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe113⤵PID:2412
-
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe114⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe115⤵PID:2344
-
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe118⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe119⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe120⤵PID:2624
-
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-