Analysis
-
max time kernel
115s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6afc35a5956f424991f417a992289b0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a6afc35a5956f424991f417a992289b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a6afc35a5956f424991f417a992289b0N.exe
-
Size
324KB
-
MD5
a6afc35a5956f424991f417a992289b0
-
SHA1
dcdbe1731f30d81a6566173fc7d5319317123b80
-
SHA256
fedd9098aae76e2195145e1aad230697090bb9d89bd4f6a4345c75235b42d173
-
SHA512
b20bb773edab1171a34e9da5e5b71619aac609e792a4b0cebf79567ab3f0441c42a23e28e067c021d7a51261d376149fad68e5aaac88beff0aa25c73d93e144d
-
SSDEEP
3072:rzjtLxWGztnLUoCrxdbMqlWGRdA6sQO56TQY2mEmjwCzAhjQjxNX+W5RK0:njtttLtwbWGRdA6sQc/Y+mjwjOx5H
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cleaebna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbakfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajpdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnjhfbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okciddnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmclold.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfcnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnogmbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbplepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbnqfln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oindpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbohmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbeacbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjdfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfbfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogldfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doflofbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaaaicm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcokaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcbol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkolil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdooongp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egegnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjcncak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgoohk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebkibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjjoeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjphff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjkeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqadknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpmhdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchjqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblhep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpegka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfecim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpadpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbpph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcjqkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chgkgmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knicjipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbokop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lednal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aimckl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocbbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfebcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okomappb.exe -
Executes dropped EXE 64 IoCs
pid Process 1972 Fpfkhbon.exe 2852 Feccqime.exe 2872 Fpkdca32.exe 2928 Gklkdn32.exe 2632 Gfhikl32.exe 1316 Hhhblgim.exe 1668 Hikobfgj.exe 2976 Hkpaoape.exe 2956 Ijhkembk.exe 564 Ilnqhddd.exe 2204 Jiaaaicm.exe 1700 Jdplmflg.exe 2336 Jhndcd32.exe 2184 Kmpfgklo.exe 1160 Kgjgepqm.exe 876 Lafekm32.exe 3036 Lednal32.exe 1096 Ldlghhde.exe 1520 Llgllj32.exe 1076 Mgomoboc.exe 592 Mqgahh32.exe 904 Mkqbhf32.exe 2440 Nbodpo32.exe 2712 Nqdaal32.exe 856 Njmejaqb.exe 2580 Nidoamch.exe 1588 Nbmcjc32.exe 2756 Oclpdf32.exe 2896 Oepianef.exe 2660 Oaiglnih.exe 2796 Olokighn.exe 2684 Panpgn32.exe 2392 Pmdalo32.exe 2404 Pmgnan32.exe 2836 Plljbkml.exe 3016 Qkcdigpa.exe 1396 Alcqcjgd.exe 2124 Akhndf32.exe 2216 Apgcbmha.exe 2040 Alqplmlb.exe 2188 Bhgaan32.exe 1628 Bfkakbpp.exe 2288 Babbpc32.exe 580 Bnicddki.exe 1536 Bohoogbk.exe 1156 Cjbpoeoj.exe 908 Ckamihfm.exe 1148 Cghmni32.exe 868 Cocbbk32.exe 2036 Cmgblphf.exe 3056 Cincaq32.exe 2588 Dpjhcj32.exe 2960 Dgemgm32.exe 2768 Dieiap32.exe 1624 Dbmnjenb.exe 2072 Dmgokcja.exe 2620 Dnfkefad.exe 2964 Ejmljg32.exe 1680 Ebhani32.exe 1228 Emnelbdi.exe 2480 Emqaaabg.exe 2196 Eleobngo.exe 2232 Faedpdcc.exe 928 Febmfcjj.exe -
Loads dropped DLL 64 IoCs
pid Process 2304 a6afc35a5956f424991f417a992289b0N.exe 2304 a6afc35a5956f424991f417a992289b0N.exe 1972 Fpfkhbon.exe 1972 Fpfkhbon.exe 2852 Feccqime.exe 2852 Feccqime.exe 2872 Fpkdca32.exe 2872 Fpkdca32.exe 2928 Gklkdn32.exe 2928 Gklkdn32.exe 2632 Gfhikl32.exe 2632 Gfhikl32.exe 1316 Hhhblgim.exe 1316 Hhhblgim.exe 1668 Hikobfgj.exe 1668 Hikobfgj.exe 2976 Hkpaoape.exe 2976 Hkpaoape.exe 2956 Ijhkembk.exe 2956 Ijhkembk.exe 564 Ilnqhddd.exe 564 Ilnqhddd.exe 2204 Jiaaaicm.exe 2204 Jiaaaicm.exe 1700 Jdplmflg.exe 1700 Jdplmflg.exe 2336 Jhndcd32.exe 2336 Jhndcd32.exe 2184 Kmpfgklo.exe 2184 Kmpfgklo.exe 1160 Kgjgepqm.exe 1160 Kgjgepqm.exe 876 Lafekm32.exe 876 Lafekm32.exe 3036 Lednal32.exe 3036 Lednal32.exe 1096 Ldlghhde.exe 1096 Ldlghhde.exe 1520 Llgllj32.exe 1520 Llgllj32.exe 1076 Mgomoboc.exe 1076 Mgomoboc.exe 592 Mqgahh32.exe 592 Mqgahh32.exe 904 Mkqbhf32.exe 904 Mkqbhf32.exe 2440 Nbodpo32.exe 2440 Nbodpo32.exe 2712 Nqdaal32.exe 2712 Nqdaal32.exe 856 Njmejaqb.exe 856 Njmejaqb.exe 2580 Nidoamch.exe 2580 Nidoamch.exe 1588 Nbmcjc32.exe 1588 Nbmcjc32.exe 2756 Oclpdf32.exe 2756 Oclpdf32.exe 2896 Oepianef.exe 2896 Oepianef.exe 2660 Oaiglnih.exe 2660 Oaiglnih.exe 2796 Olokighn.exe 2796 Olokighn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fhfbmn32.exe Fdhigo32.exe File created C:\Windows\SysWOW64\Iiogbn32.dll Fehodaqd.exe File created C:\Windows\SysWOW64\Gckknefg.dll Eopbooqb.exe File opened for modification C:\Windows\SysWOW64\Fajpdmgb.exe Fagcnmie.exe File created C:\Windows\SysWOW64\Abejlj32.exe Aimfcedl.exe File opened for modification C:\Windows\SysWOW64\Mlgjce32.exe Lmbmbi32.exe File created C:\Windows\SysWOW64\Iaicpepa.exe Ijokcl32.exe File opened for modification C:\Windows\SysWOW64\Ngiiip32.exe Mnqdpj32.exe File created C:\Windows\SysWOW64\Qibjjgag.exe Qnmfmoaa.exe File created C:\Windows\SysWOW64\Dhjlfe32.dll Nlfmoidh.exe File opened for modification C:\Windows\SysWOW64\Eqklhh32.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Feccqime.exe Fpfkhbon.exe File created C:\Windows\SysWOW64\Jhndcd32.exe Jdplmflg.exe File created C:\Windows\SysWOW64\Phcpdm32.exe Pnnlfd32.exe File opened for modification C:\Windows\SysWOW64\Hdmdcc32.exe Hhfcnb32.exe File created C:\Windows\SysWOW64\Dbmnjenb.exe Dieiap32.exe File created C:\Windows\SysWOW64\Jbgbjh32.exe Iganmp32.exe File opened for modification C:\Windows\SysWOW64\Fhfdffll.exe Ffghlcei.exe File created C:\Windows\SysWOW64\Iniebmfg.exe Infhmmhi.exe File created C:\Windows\SysWOW64\Hkmnqdme.dll Dhnahl32.exe File opened for modification C:\Windows\SysWOW64\Nfqbol32.exe Nogjbbma.exe File created C:\Windows\SysWOW64\Kcclni32.dll Ocbekmpi.exe File created C:\Windows\SysWOW64\Lbncbgoh.exe Lmondpbc.exe File opened for modification C:\Windows\SysWOW64\Mggoli32.exe Mkqnghfk.exe File created C:\Windows\SysWOW64\Jodmdboj.exe Jpppbf32.exe File opened for modification C:\Windows\SysWOW64\Knnmeh32.exe Kchhholk.exe File created C:\Windows\SysWOW64\Nogjbbma.exe Njjbjk32.exe File opened for modification C:\Windows\SysWOW64\Gphokhco.exe Gpfbfh32.exe File created C:\Windows\SysWOW64\Kgmajelk.dll Cffejk32.exe File created C:\Windows\SysWOW64\Kljgohme.dll Ajfoea32.exe File opened for modification C:\Windows\SysWOW64\Alqplmlb.exe Apgcbmha.exe File opened for modification C:\Windows\SysWOW64\Kjopnh32.exe Kagkebpb.exe File created C:\Windows\SysWOW64\Jnlhbb32.exe Injlmcib.exe File opened for modification C:\Windows\SysWOW64\Bhglpqeo.exe Bjclfmfe.exe File opened for modification C:\Windows\SysWOW64\Kdhlmhgj.exe Kfabfldd.exe File created C:\Windows\SysWOW64\Qjaejbmq.exe Qddmbkoi.exe File created C:\Windows\SysWOW64\Emnelbdi.exe Ebhani32.exe File opened for modification C:\Windows\SysWOW64\Bcbhmehg.exe Bkgchckl.exe File opened for modification C:\Windows\SysWOW64\Iapjad32.exe Ijfadkbm.exe File created C:\Windows\SysWOW64\Qjehem32.dll Jegheghc.exe File created C:\Windows\SysWOW64\Kkngmm32.dll Cghmni32.exe File created C:\Windows\SysWOW64\Nhalag32.exe Noighakn.exe File created C:\Windows\SysWOW64\Naeppnfb.dll Hgbdge32.exe File opened for modification C:\Windows\SysWOW64\Chkbjc32.exe Cleaebna.exe File opened for modification C:\Windows\SysWOW64\Ffmnloih.exe Emdjbi32.exe File created C:\Windows\SysWOW64\Mdoafi32.dll Qkolil32.exe File created C:\Windows\SysWOW64\Ilnqhddd.exe Ijhkembk.exe File opened for modification C:\Windows\SysWOW64\Pcahga32.exe Pcokaa32.exe File created C:\Windows\SysWOW64\Iegaha32.exe Hgbdge32.exe File created C:\Windows\SysWOW64\Fdnpkd32.dll Kjeblf32.exe File created C:\Windows\SysWOW64\Hpnbjfjj.exe Gdgadeee.exe File created C:\Windows\SysWOW64\Lplfkgmm.dll Hpnbjfjj.exe File opened for modification C:\Windows\SysWOW64\Dbmnjenb.exe Dieiap32.exe File opened for modification C:\Windows\SysWOW64\Mlfebcnd.exe Laqadknn.exe File created C:\Windows\SysWOW64\Holgpe32.dll Jkklpk32.exe File created C:\Windows\SysWOW64\Ngonpgqg.exe Nlfmoidh.exe File created C:\Windows\SysWOW64\Hbajjiml.exe Hiieqd32.exe File opened for modification C:\Windows\SysWOW64\Kgjgepqm.exe Kmpfgklo.exe File created C:\Windows\SysWOW64\Gpjhgkof.dll Jcodcp32.exe File created C:\Windows\SysWOW64\Bpbokj32.exe Bdknfiea.exe File created C:\Windows\SysWOW64\Pfganlfn.dll Qcigjolm.exe File created C:\Windows\SysWOW64\Alqljjam.dll Aebllocg.exe File created C:\Windows\SysWOW64\Lafekm32.exe Kgjgepqm.exe File created C:\Windows\SysWOW64\Ihckdmko.dll Ggphji32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2440 3752 WerFault.exe 644 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpmhdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddoiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgehfodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjhgpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpijgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccbnhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfbfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgnan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcebnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfdffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgmch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okciddnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqlcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnogmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqlmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidoamch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmnjenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnealbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhjpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdegnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefmkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibqmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgokcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhmhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idagdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihkoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipjbokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgkgmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhblgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iganmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaolad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcodcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clphjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagncl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiffbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbqbioeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgablmfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minnmomo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poegde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6afc35a5956f424991f417a992289b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggphji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcllmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peandcih.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkckihel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgcnihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phooqo32.dll" Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhgja32.dll" Fflgahfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcjmdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pegaje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpihafp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfhqiegh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjdfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajqmqmfm.dll" Hfdbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccoplcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqmadn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlneglae.dll" Lgladc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpaem32.dll" Nqdaal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbenmb32.dll" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdhndib.dll" Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfagjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bndckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlinpd.dll" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oceaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflgahfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdonndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfcle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfjoqnd.dll" Abnbccia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokpcekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lednal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphmbolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mddidnqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoafi32.dll" Qkolil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffejk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqiipm32.dll" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeoapde.dll" Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdadbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjgepqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinfah32.dll" Nkfnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqgmnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Minnmomo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncellpog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labphb32.dll" Dnfkefad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhgfh32.dll" Hhqmogam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iejpfjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibplji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccpbpf.dll" Ajcbpbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghcbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeppnfb.dll" Hgbdge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcjqkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmejaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfcnb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 1972 2304 a6afc35a5956f424991f417a992289b0N.exe 29 PID 2304 wrote to memory of 1972 2304 a6afc35a5956f424991f417a992289b0N.exe 29 PID 2304 wrote to memory of 1972 2304 a6afc35a5956f424991f417a992289b0N.exe 29 PID 2304 wrote to memory of 1972 2304 a6afc35a5956f424991f417a992289b0N.exe 29 PID 1972 wrote to memory of 2852 1972 Fpfkhbon.exe 30 PID 1972 wrote to memory of 2852 1972 Fpfkhbon.exe 30 PID 1972 wrote to memory of 2852 1972 Fpfkhbon.exe 30 PID 1972 wrote to memory of 2852 1972 Fpfkhbon.exe 30 PID 2852 wrote to memory of 2872 2852 Feccqime.exe 31 PID 2852 wrote to memory of 2872 2852 Feccqime.exe 31 PID 2852 wrote to memory of 2872 2852 Feccqime.exe 31 PID 2852 wrote to memory of 2872 2852 Feccqime.exe 31 PID 2872 wrote to memory of 2928 2872 Fpkdca32.exe 32 PID 2872 wrote to memory of 2928 2872 Fpkdca32.exe 32 PID 2872 wrote to memory of 2928 2872 Fpkdca32.exe 32 PID 2872 wrote to memory of 2928 2872 Fpkdca32.exe 32 PID 2928 wrote to memory of 2632 2928 Gklkdn32.exe 33 PID 2928 wrote to memory of 2632 2928 Gklkdn32.exe 33 PID 2928 wrote to memory of 2632 2928 Gklkdn32.exe 33 PID 2928 wrote to memory of 2632 2928 Gklkdn32.exe 33 PID 2632 wrote to memory of 1316 2632 Gfhikl32.exe 34 PID 2632 wrote to memory of 1316 2632 Gfhikl32.exe 34 PID 2632 wrote to memory of 1316 2632 Gfhikl32.exe 34 PID 2632 wrote to memory of 1316 2632 Gfhikl32.exe 34 PID 1316 wrote to memory of 1668 1316 Hhhblgim.exe 35 PID 1316 wrote to memory of 1668 1316 Hhhblgim.exe 35 PID 1316 wrote to memory of 1668 1316 Hhhblgim.exe 35 PID 1316 wrote to memory of 1668 1316 Hhhblgim.exe 35 PID 1668 wrote to memory of 2976 1668 Hikobfgj.exe 36 PID 1668 wrote to memory of 2976 1668 Hikobfgj.exe 36 PID 1668 wrote to memory of 2976 1668 Hikobfgj.exe 36 PID 1668 wrote to memory of 2976 1668 Hikobfgj.exe 36 PID 2976 wrote to memory of 2956 2976 Hkpaoape.exe 37 PID 2976 wrote to memory of 2956 2976 Hkpaoape.exe 37 PID 2976 wrote to memory of 2956 2976 Hkpaoape.exe 37 PID 2976 wrote to memory of 2956 2976 Hkpaoape.exe 37 PID 2956 wrote to memory of 564 2956 Ijhkembk.exe 38 PID 2956 wrote to memory of 564 2956 Ijhkembk.exe 38 PID 2956 wrote to memory of 564 2956 Ijhkembk.exe 38 PID 2956 wrote to memory of 564 2956 Ijhkembk.exe 38 PID 564 wrote to memory of 2204 564 Ilnqhddd.exe 39 PID 564 wrote to memory of 2204 564 Ilnqhddd.exe 39 PID 564 wrote to memory of 2204 564 Ilnqhddd.exe 39 PID 564 wrote to memory of 2204 564 Ilnqhddd.exe 39 PID 2204 wrote to memory of 1700 2204 Jiaaaicm.exe 40 PID 2204 wrote to memory of 1700 2204 Jiaaaicm.exe 40 PID 2204 wrote to memory of 1700 2204 Jiaaaicm.exe 40 PID 2204 wrote to memory of 1700 2204 Jiaaaicm.exe 40 PID 1700 wrote to memory of 2336 1700 Jdplmflg.exe 41 PID 1700 wrote to memory of 2336 1700 Jdplmflg.exe 41 PID 1700 wrote to memory of 2336 1700 Jdplmflg.exe 41 PID 1700 wrote to memory of 2336 1700 Jdplmflg.exe 41 PID 2336 wrote to memory of 2184 2336 Jhndcd32.exe 42 PID 2336 wrote to memory of 2184 2336 Jhndcd32.exe 42 PID 2336 wrote to memory of 2184 2336 Jhndcd32.exe 42 PID 2336 wrote to memory of 2184 2336 Jhndcd32.exe 42 PID 2184 wrote to memory of 1160 2184 Kmpfgklo.exe 43 PID 2184 wrote to memory of 1160 2184 Kmpfgklo.exe 43 PID 2184 wrote to memory of 1160 2184 Kmpfgklo.exe 43 PID 2184 wrote to memory of 1160 2184 Kmpfgklo.exe 43 PID 1160 wrote to memory of 876 1160 Kgjgepqm.exe 44 PID 1160 wrote to memory of 876 1160 Kgjgepqm.exe 44 PID 1160 wrote to memory of 876 1160 Kgjgepqm.exe 44 PID 1160 wrote to memory of 876 1160 Kgjgepqm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6afc35a5956f424991f417a992289b0N.exe"C:\Users\Admin\AppData\Local\Temp\a6afc35a5956f424991f417a992289b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Hkpaoape.exeC:\Windows\system32\Hkpaoape.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Kgjgepqm.exeC:\Windows\system32\Kgjgepqm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ldlghhde.exeC:\Windows\system32\Ldlghhde.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Llgllj32.exeC:\Windows\system32\Llgllj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Mqgahh32.exeC:\Windows\system32\Mqgahh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Pmgnan32.exeC:\Windows\system32\Pmgnan32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe37⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe38⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe41⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe42⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe43⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe45⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe47⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe48⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe51⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe54⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe61⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Emqaaabg.exeC:\Windows\system32\Emqaaabg.exe62⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Eleobngo.exeC:\Windows\system32\Eleobngo.exe63⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe64⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe65⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe66⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe67⤵PID:1936
-
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe68⤵PID:3032
-
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe69⤵PID:996
-
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe70⤵PID:2576
-
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe72⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe73⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe74⤵PID:2720
-
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe75⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe76⤵PID:2052
-
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe77⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe78⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe79⤵PID:1296
-
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe80⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe81⤵PID:2116
-
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe82⤵PID:3060
-
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe83⤵PID:2520
-
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe84⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe85⤵PID:1120
-
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe86⤵PID:2564
-
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Jbgbjh32.exeC:\Windows\system32\Jbgbjh32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe89⤵PID:2812
-
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe90⤵PID:2656
-
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe94⤵PID:1152
-
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe95⤵PID:1192
-
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe96⤵PID:1796
-
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe97⤵PID:2516
-
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe98⤵PID:1172
-
C:\Windows\SysWOW64\Kobhillo.exeC:\Windows\system32\Kobhillo.exe99⤵PID:1824
-
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe100⤵PID:2140
-
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe102⤵PID:2884
-
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe103⤵PID:2860
-
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe105⤵PID:880
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe106⤵PID:2132
-
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Macnjk32.exeC:\Windows\system32\Macnjk32.exe109⤵PID:656
-
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe110⤵PID:800
-
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe111⤵PID:2292
-
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe112⤵PID:2968
-
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe113⤵PID:3048
-
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe114⤵PID:2608
-
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe115⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ngiiip32.exeC:\Windows\system32\Ngiiip32.exe116⤵PID:2744
-
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe117⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe119⤵PID:2368
-
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe120⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-