Analysis
-
max time kernel
114s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 21:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fc9969739f2fba999a147d378204e00N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
0fc9969739f2fba999a147d378204e00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0fc9969739f2fba999a147d378204e00N.exe
-
Size
96KB
-
MD5
0fc9969739f2fba999a147d378204e00
-
SHA1
bc3dd47c2c3db5ff70aa6ac1269731de82c6fd22
-
SHA256
c91f9e58e8a3e6d9011842ec2f8ed8dde503c732b2e99ae0df7bfd6111931283
-
SHA512
22e4784bd361729b350cd8dafca52d3e207f5888372469e8ff87540d8a1e5fd08fab828a1d9b54301ea158886e333cd8bdd53b5bff69afac2b9020da79eb29eb
-
SSDEEP
1536:QGKOhNP9wYldVqq8O9ng2L6sBMu/HCmiDcg3MZRP3cEW3AE:QGKOhQQnR6a6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfkgdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbjdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjjkkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmibmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhincn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiqjao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkkim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbmcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmibmhoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgcdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooofcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkfkopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdcepcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhndnpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbqkeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghmhegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhoohgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndgeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkgog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qghgigkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjpkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemalkgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anpooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmmigjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoejbhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpmdd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2024 Mldeik32.exe 2704 Mhkfnlme.exe 2680 Mkibjgli.exe 2668 Ndafcmci.exe 2568 Njnokdaq.exe 3052 Ncgcdi32.exe 1740 Nknkeg32.exe 2260 Nnlhab32.exe 1936 Ncipjieo.exe 2904 Njchfc32.exe 2764 Nqmqcmdh.exe 812 Njeelc32.exe 2772 Nqpmimbe.exe 1228 Ncnjeh32.exe 2328 Omfnnnhj.exe 636 Ocpfkh32.exe 836 Ofobgc32.exe 2396 Odacbpee.exe 928 Okkkoj32.exe 2952 Ooggpiek.exe 1324 Obecld32.exe 832 Oiokholk.exe 2416 Onldqejb.exe 844 Odflmp32.exe 2272 Ogdhik32.exe 2032 Ojceef32.exe 2736 Onoqfehp.exe 2532 Onamle32.exe 864 Omcngamh.exe 3048 Pflbpg32.exe 2548 Pjhnqfla.exe 2908 Paafmp32.exe 2428 Pcpbik32.exe 2196 Pjjkfe32.exe 2856 Pmhgba32.exe 2084 Pbepkh32.exe 1640 Pfqlkfoc.exe 2356 Ppipdl32.exe 320 Pfchqf32.exe 1768 Plpqim32.exe 2144 Pbjifgcd.exe 2988 Plbmom32.exe 608 Qpniokan.exe 624 Qblfkgqb.exe 892 Qifnhaho.exe 2016 Qhincn32.exe 1100 Qjgjpi32.exe 2872 Qhkkim32.exe 992 Ajjgei32.exe 2608 Anecfgdc.exe 2716 Amhcad32.exe 2544 Aeokba32.exe 2804 Ahngomkd.exe 2072 Afqhjj32.exe 436 Anhpkg32.exe 2980 Aaflgb32.exe 1780 Addhcn32.exe 2864 Afcdpi32.exe 1616 Aiaqle32.exe 2132 Apkihofl.exe 2152 Abjeejep.exe 2992 Afeaei32.exe 2056 Aicmadmm.exe 1464 Albjnplq.exe -
Loads dropped DLL 64 IoCs
pid Process 2596 0fc9969739f2fba999a147d378204e00N.exe 2596 0fc9969739f2fba999a147d378204e00N.exe 2024 Mldeik32.exe 2024 Mldeik32.exe 2704 Mhkfnlme.exe 2704 Mhkfnlme.exe 2680 Mkibjgli.exe 2680 Mkibjgli.exe 2668 Ndafcmci.exe 2668 Ndafcmci.exe 2568 Njnokdaq.exe 2568 Njnokdaq.exe 3052 Ncgcdi32.exe 3052 Ncgcdi32.exe 1740 Nknkeg32.exe 1740 Nknkeg32.exe 2260 Nnlhab32.exe 2260 Nnlhab32.exe 1936 Ncipjieo.exe 1936 Ncipjieo.exe 2904 Njchfc32.exe 2904 Njchfc32.exe 2764 Nqmqcmdh.exe 2764 Nqmqcmdh.exe 812 Njeelc32.exe 812 Njeelc32.exe 2772 Nqpmimbe.exe 2772 Nqpmimbe.exe 1228 Ncnjeh32.exe 1228 Ncnjeh32.exe 2328 Omfnnnhj.exe 2328 Omfnnnhj.exe 636 Ocpfkh32.exe 636 Ocpfkh32.exe 836 Ofobgc32.exe 836 Ofobgc32.exe 2396 Odacbpee.exe 2396 Odacbpee.exe 928 Okkkoj32.exe 928 Okkkoj32.exe 2952 Ooggpiek.exe 2952 Ooggpiek.exe 1324 Obecld32.exe 1324 Obecld32.exe 832 Oiokholk.exe 832 Oiokholk.exe 2416 Onldqejb.exe 2416 Onldqejb.exe 844 Odflmp32.exe 844 Odflmp32.exe 2272 Ogdhik32.exe 2272 Ogdhik32.exe 2032 Ojceef32.exe 2032 Ojceef32.exe 2736 Onoqfehp.exe 2736 Onoqfehp.exe 2532 Onamle32.exe 2532 Onamle32.exe 864 Omcngamh.exe 864 Omcngamh.exe 3048 Pflbpg32.exe 3048 Pflbpg32.exe 2548 Pjhnqfla.exe 2548 Pjhnqfla.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dqhooh32.dll Ilifndlo.exe File created C:\Windows\SysWOW64\Lqeipj32.dll Jmibmhoj.exe File opened for modification C:\Windows\SysWOW64\Mpqjmh32.exe Mmbnam32.exe File created C:\Windows\SysWOW64\Diggcodj.dll Ndlbmk32.exe File created C:\Windows\SysWOW64\Gchhdfem.dll Qjgjpi32.exe File created C:\Windows\SysWOW64\Fmbgageq.exe Fjckelfm.exe File created C:\Windows\SysWOW64\Gfabkl32.exe Gpgjnbnl.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hganjo32.exe File created C:\Windows\SysWOW64\Hlpchfdi.exe Hnmcli32.exe File opened for modification C:\Windows\SysWOW64\Ohengmcf.exe Ofgbkacb.exe File created C:\Windows\SysWOW64\Chofhm32.exe Cdcjgnbc.exe File opened for modification C:\Windows\SysWOW64\Ogdhik32.exe Odflmp32.exe File created C:\Windows\SysWOW64\Plpqim32.exe Pfchqf32.exe File created C:\Windows\SysWOW64\Ngoleb32.exe Nohddd32.exe File created C:\Windows\SysWOW64\Ojndpqpq.exe Okkddd32.exe File created C:\Windows\SysWOW64\Bhjpnj32.exe Bdodmlcm.exe File opened for modification C:\Windows\SysWOW64\Ccnddg32.exe Cobhdhha.exe File created C:\Windows\SysWOW64\Bafmhm32.dll Djafaf32.exe File created C:\Windows\SysWOW64\Fnjnkkbk.exe Fllaopcg.exe File opened for modification C:\Windows\SysWOW64\Dgqion32.exe Ddbmcb32.exe File created C:\Windows\SysWOW64\Occlcg32.exe Oqepgk32.exe File created C:\Windows\SysWOW64\Baealp32.exe Bkkioeig.exe File created C:\Windows\SysWOW64\Pjjkfe32.exe Pcpbik32.exe File created C:\Windows\SysWOW64\Afqhjj32.exe Ahngomkd.exe File opened for modification C:\Windows\SysWOW64\Mdepmh32.exe Mebpakbq.exe File opened for modification C:\Windows\SysWOW64\Qghgigkn.exe Qanolm32.exe File opened for modification C:\Windows\SysWOW64\Anmbje32.exe Alofnj32.exe File created C:\Windows\SysWOW64\Alaccj32.exe Aicfgn32.exe File opened for modification C:\Windows\SysWOW64\Appbcn32.exe Amafgc32.exe File created C:\Windows\SysWOW64\Joebccpp.exe Jndflk32.exe File opened for modification C:\Windows\SysWOW64\Hpicbe32.exe Hnkffi32.exe File opened for modification C:\Windows\SysWOW64\Ligfakaa.exe Lekjal32.exe File opened for modification C:\Windows\SysWOW64\Djafaf32.exe Ccgnelll.exe File created C:\Windows\SysWOW64\Dlboca32.exe Ddkgbc32.exe File created C:\Windows\SysWOW64\Ablbjj32.exe Adiaommc.exe File created C:\Windows\SysWOW64\Kmcjeh32.dll Cjhckg32.exe File created C:\Windows\SysWOW64\Cpbkhabp.exe Cncolfcl.exe File created C:\Windows\SysWOW64\Hjddaj32.exe Hgfheodo.exe File opened for modification C:\Windows\SysWOW64\Jgjmoace.exe Jdlacfca.exe File created C:\Windows\SysWOW64\Jfddkmch.exe Jbhhkn32.exe File opened for modification C:\Windows\SysWOW64\Qblfkgqb.exe Qpniokan.exe File created C:\Windows\SysWOW64\Igooceih.dll Qhincn32.exe File opened for modification C:\Windows\SysWOW64\Ooofcg32.exe Omqjgl32.exe File opened for modification C:\Windows\SysWOW64\Bfbjdf32.exe Bbfnchfb.exe File created C:\Windows\SysWOW64\Iklfia32.exe Ilifndlo.exe File created C:\Windows\SysWOW64\Jipcbidn.exe Jjmcfl32.exe File created C:\Windows\SysWOW64\Ngonaccp.dll Nohddd32.exe File opened for modification C:\Windows\SysWOW64\Qfikod32.exe Qcjoci32.exe File opened for modification C:\Windows\SysWOW64\Efjpkj32.exe Epqgopbi.exe File created C:\Windows\SysWOW64\Fappgflg.exe Fmddgg32.exe File created C:\Windows\SysWOW64\Iadbqlmh.exe Icabeo32.exe File created C:\Windows\SysWOW64\Aoffeijg.dll Jdlacfca.exe File opened for modification C:\Windows\SysWOW64\Mhalngad.exe Mdepmh32.exe File opened for modification C:\Windows\SysWOW64\Nphpng32.exe Nlldmimi.exe File created C:\Windows\SysWOW64\Omnmal32.exe Ogaeieoj.exe File created C:\Windows\SysWOW64\Pdgmbedh.dll Bpjnmlel.exe File opened for modification C:\Windows\SysWOW64\Cdpdnpif.exe Cnflae32.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fjhdpk32.exe File opened for modification C:\Windows\SysWOW64\Hekefkig.exe Hclhjpjc.exe File opened for modification C:\Windows\SysWOW64\Jbfkeo32.exe Johoic32.exe File created C:\Windows\SysWOW64\Dkmbap32.dll Kapaaj32.exe File opened for modification C:\Windows\SysWOW64\Nepokogo.exe Mcacochk.exe File created C:\Windows\SysWOW64\Pjeimkch.dll Ogaeieoj.exe File opened for modification C:\Windows\SysWOW64\Biccfalm.exe Beggec32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnokdaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadbqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbkhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofobgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhpkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncgcdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjiljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepokogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghekhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbnmgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapaaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilemce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icabeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgilnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhebhipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boleejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abinjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjeejep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnhgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfikod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlmjnop.dll" Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllhne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gipngg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nanfqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngonaccp.dll" Nohddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgmbedh.dll" Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anhpkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfb32.dll" Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflhek32.dll" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dheoedma.dll" Jnbifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdphkml.dll" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmccgf32.dll" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndflk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhfjpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigklmqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfikod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeaokpb.dll" Mhalngad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Negeln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgbkacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boleejag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll" Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhdpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopnanlf.dll" Hnmcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjqlaec.dll" Mhcicf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll" Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoopd32.dll" Kkalcdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njchfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinalc32.dll" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlalaoic.dll" Gfcopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdbbnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clclhmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkohlcb.dll" Hgfheodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alofnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnbgj32.dll" Fjhdpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2024 2596 0fc9969739f2fba999a147d378204e00N.exe 30 PID 2596 wrote to memory of 2024 2596 0fc9969739f2fba999a147d378204e00N.exe 30 PID 2596 wrote to memory of 2024 2596 0fc9969739f2fba999a147d378204e00N.exe 30 PID 2596 wrote to memory of 2024 2596 0fc9969739f2fba999a147d378204e00N.exe 30 PID 2024 wrote to memory of 2704 2024 Mldeik32.exe 31 PID 2024 wrote to memory of 2704 2024 Mldeik32.exe 31 PID 2024 wrote to memory of 2704 2024 Mldeik32.exe 31 PID 2024 wrote to memory of 2704 2024 Mldeik32.exe 31 PID 2704 wrote to memory of 2680 2704 Mhkfnlme.exe 32 PID 2704 wrote to memory of 2680 2704 Mhkfnlme.exe 32 PID 2704 wrote to memory of 2680 2704 Mhkfnlme.exe 32 PID 2704 wrote to memory of 2680 2704 Mhkfnlme.exe 32 PID 2680 wrote to memory of 2668 2680 Mkibjgli.exe 33 PID 2680 wrote to memory of 2668 2680 Mkibjgli.exe 33 PID 2680 wrote to memory of 2668 2680 Mkibjgli.exe 33 PID 2680 wrote to memory of 2668 2680 Mkibjgli.exe 33 PID 2668 wrote to memory of 2568 2668 Ndafcmci.exe 34 PID 2668 wrote to memory of 2568 2668 Ndafcmci.exe 34 PID 2668 wrote to memory of 2568 2668 Ndafcmci.exe 34 PID 2668 wrote to memory of 2568 2668 Ndafcmci.exe 34 PID 2568 wrote to memory of 3052 2568 Njnokdaq.exe 35 PID 2568 wrote to memory of 3052 2568 Njnokdaq.exe 35 PID 2568 wrote to memory of 3052 2568 Njnokdaq.exe 35 PID 2568 wrote to memory of 3052 2568 Njnokdaq.exe 35 PID 3052 wrote to memory of 1740 3052 Ncgcdi32.exe 36 PID 3052 wrote to memory of 1740 3052 Ncgcdi32.exe 36 PID 3052 wrote to memory of 1740 3052 Ncgcdi32.exe 36 PID 3052 wrote to memory of 1740 3052 Ncgcdi32.exe 36 PID 1740 wrote to memory of 2260 1740 Nknkeg32.exe 37 PID 1740 wrote to memory of 2260 1740 Nknkeg32.exe 37 PID 1740 wrote to memory of 2260 1740 Nknkeg32.exe 37 PID 1740 wrote to memory of 2260 1740 Nknkeg32.exe 37 PID 2260 wrote to memory of 1936 2260 Nnlhab32.exe 38 PID 2260 wrote to memory of 1936 2260 Nnlhab32.exe 38 PID 2260 wrote to memory of 1936 2260 Nnlhab32.exe 38 PID 2260 wrote to memory of 1936 2260 Nnlhab32.exe 38 PID 1936 wrote to memory of 2904 1936 Ncipjieo.exe 39 PID 1936 wrote to memory of 2904 1936 Ncipjieo.exe 39 PID 1936 wrote to memory of 2904 1936 Ncipjieo.exe 39 PID 1936 wrote to memory of 2904 1936 Ncipjieo.exe 39 PID 2904 wrote to memory of 2764 2904 Njchfc32.exe 40 PID 2904 wrote to memory of 2764 2904 Njchfc32.exe 40 PID 2904 wrote to memory of 2764 2904 Njchfc32.exe 40 PID 2904 wrote to memory of 2764 2904 Njchfc32.exe 40 PID 2764 wrote to memory of 812 2764 Nqmqcmdh.exe 41 PID 2764 wrote to memory of 812 2764 Nqmqcmdh.exe 41 PID 2764 wrote to memory of 812 2764 Nqmqcmdh.exe 41 PID 2764 wrote to memory of 812 2764 Nqmqcmdh.exe 41 PID 812 wrote to memory of 2772 812 Njeelc32.exe 42 PID 812 wrote to memory of 2772 812 Njeelc32.exe 42 PID 812 wrote to memory of 2772 812 Njeelc32.exe 42 PID 812 wrote to memory of 2772 812 Njeelc32.exe 42 PID 2772 wrote to memory of 1228 2772 Nqpmimbe.exe 43 PID 2772 wrote to memory of 1228 2772 Nqpmimbe.exe 43 PID 2772 wrote to memory of 1228 2772 Nqpmimbe.exe 43 PID 2772 wrote to memory of 1228 2772 Nqpmimbe.exe 43 PID 1228 wrote to memory of 2328 1228 Ncnjeh32.exe 44 PID 1228 wrote to memory of 2328 1228 Ncnjeh32.exe 44 PID 1228 wrote to memory of 2328 1228 Ncnjeh32.exe 44 PID 1228 wrote to memory of 2328 1228 Ncnjeh32.exe 44 PID 2328 wrote to memory of 636 2328 Omfnnnhj.exe 45 PID 2328 wrote to memory of 636 2328 Omfnnnhj.exe 45 PID 2328 wrote to memory of 636 2328 Omfnnnhj.exe 45 PID 2328 wrote to memory of 636 2328 Omfnnnhj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fc9969739f2fba999a147d378204e00N.exe"C:\Users\Admin\AppData\Local\Temp\0fc9969739f2fba999a147d378204e00N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Pcpbik32.exeC:\Windows\system32\Pcpbik32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe35⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe36⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe37⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe38⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe41⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe42⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe43⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe45⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe50⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe51⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe52⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe53⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe55⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe59⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe60⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe61⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe63⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe64⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe67⤵PID:2412
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe68⤵PID:2404
-
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe69⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe71⤵PID:2896
-
C:\Windows\SysWOW64\Bemkle32.exeC:\Windows\system32\Bemkle32.exe72⤵PID:2676
-
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe74⤵PID:1528
-
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe75⤵PID:2316
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe77⤵
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe78⤵PID:572
-
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe79⤵PID:1512
-
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe80⤵PID:2124
-
C:\Windows\SysWOW64\Bknmok32.exeC:\Windows\system32\Bknmok32.exe81⤵
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe82⤵PID:1800
-
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe84⤵PID:2828
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe85⤵PID:484
-
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe87⤵PID:2924
-
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe88⤵PID:2508
-
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe89⤵PID:1728
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe90⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe93⤵
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe94⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe96⤵PID:2996
-
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe97⤵PID:1900
-
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe99⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe101⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe102⤵PID:1712
-
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe103⤵PID:2928
-
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe104⤵PID:2468
-
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe106⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe107⤵PID:1032
-
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe108⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe110⤵PID:2424
-
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe111⤵PID:1112
-
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe113⤵PID:1664
-
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe114⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe115⤵PID:3020
-
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe116⤵PID:2880
-
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe117⤵PID:1012
-
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe119⤵PID:2068
-
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe120⤵PID:2648
-
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe121⤵PID:2780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-