Analysis
-
max time kernel
143s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 05:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe
-
Size
45KB
-
MD5
1fde2be25a784686a2e9fe9b9bdf16bf
-
SHA1
daec645523a6d5091dc85d119b243ed57202b700
-
SHA256
eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347
-
SHA512
634ad44db78e4bfec96674c825f8d97609c0a2db5186b2de0a8fae2013a6493280678e48728469125c2fb93d1ac1cdf97e01353d78cccf15b8da89e192fc092d
-
SSDEEP
768:vL1DEPtd4Soqc3LYQlmMKE2MVUO76RB6ILYc5IZnv7HRQOLx7777sM91vFTaeN/Q:vL1Do34tq6YfWTe1RdL/2ZDHeGx7777a
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplinckj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfingaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchadifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicfnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almjcobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foqadnpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgpiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbinad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkihpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mojaceln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njobpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgdbpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiodliep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjeod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icponb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agilkijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhkembk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblbpnhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbneekan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahkag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjqifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkffohon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbdjhnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almjcobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjcnfcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfamko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mookod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjpcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkeeikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjcleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkohc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjofanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qicoleno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflnkjhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdnme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogddpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldchdjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejcab32.exe -
Executes dropped EXE 64 IoCs
pid Process 2212 Kapbmo32.exe 2828 Kabobo32.exe 1240 Lgphke32.exe 2844 Ldchdjom.exe 2900 Lnlmmo32.exe 2748 Lgdafeln.exe 2612 Lpmeojbo.exe 2504 Lfingaaf.exe 2980 Lkffohon.exe 2948 Lflklaoc.exe 2320 Lngpac32.exe 796 Mhlcnl32.exe 2484 Moflkfca.exe 2592 Mhopcl32.exe 2464 Mnlilb32.exe 1556 Mchadifq.exe 1704 Mmafmo32.exe 2220 Mfijfdca.exe 236 Mmcbbo32.exe 580 Mgigpgkd.exe 1868 Mflgkd32.exe 936 Nqakim32.exe 1100 Nfncad32.exe 1616 Nlklik32.exe 2548 Ncbdjhnf.exe 1528 Nlmiojla.exe 2840 Nfbmlckg.exe 2752 Nloedjin.exe 2904 Nbinad32.exe 2396 Nicfnn32.exe 2764 Nnpofe32.exe 2608 Oejgbonl.exe 2200 Oaaghp32.exe 2940 Ohkpdj32.exe 2500 Onehadbj.exe 3000 Odaqikaa.exe 1052 Omjeba32.exe 1684 Ofbikf32.exe 2272 Oiqegb32.exe 1208 Opkndldc.exe 1916 Oicbma32.exe 1488 Pbkgegad.exe 1424 Pejcab32.exe 1580 Pihlhagn.exe 1984 Pkihpi32.exe 2540 Pacqlcdi.exe 2572 Peolmb32.exe 1508 Phmiimlf.exe 2248 Pkkeeikj.exe 2732 Paemac32.exe 1976 Phoeomjc.exe 2120 Pknakhig.exe 2324 Pmlngdhk.exe 1960 Ppjjcogn.exe 2360 Qgdbpi32.exe 2124 Qicoleno.exe 2992 Qpmgho32.exe 684 Qggoeilh.exe 1912 Qiekadkl.exe 668 Qpocno32.exe 1048 Agilkijf.exe 2304 Alfdcp32.exe 584 Acplpjpj.exe 1284 Ajjeld32.exe -
Loads dropped DLL 64 IoCs
pid Process 2452 eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe 2452 eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe 2212 Kapbmo32.exe 2212 Kapbmo32.exe 2828 Kabobo32.exe 2828 Kabobo32.exe 1240 Lgphke32.exe 1240 Lgphke32.exe 2844 Ldchdjom.exe 2844 Ldchdjom.exe 2900 Lnlmmo32.exe 2900 Lnlmmo32.exe 2748 Lgdafeln.exe 2748 Lgdafeln.exe 2612 Lpmeojbo.exe 2612 Lpmeojbo.exe 2504 Lfingaaf.exe 2504 Lfingaaf.exe 2980 Lkffohon.exe 2980 Lkffohon.exe 2948 Lflklaoc.exe 2948 Lflklaoc.exe 2320 Lngpac32.exe 2320 Lngpac32.exe 796 Mhlcnl32.exe 796 Mhlcnl32.exe 2484 Moflkfca.exe 2484 Moflkfca.exe 2592 Mhopcl32.exe 2592 Mhopcl32.exe 2464 Mnlilb32.exe 2464 Mnlilb32.exe 1556 Mchadifq.exe 1556 Mchadifq.exe 1704 Mmafmo32.exe 1704 Mmafmo32.exe 2220 Mfijfdca.exe 2220 Mfijfdca.exe 236 Mmcbbo32.exe 236 Mmcbbo32.exe 580 Mgigpgkd.exe 580 Mgigpgkd.exe 1868 Mflgkd32.exe 1868 Mflgkd32.exe 936 Nqakim32.exe 936 Nqakim32.exe 1100 Nfncad32.exe 1100 Nfncad32.exe 1616 Nlklik32.exe 1616 Nlklik32.exe 2548 Ncbdjhnf.exe 2548 Ncbdjhnf.exe 1528 Nlmiojla.exe 1528 Nlmiojla.exe 2840 Nfbmlckg.exe 2840 Nfbmlckg.exe 2752 Nloedjin.exe 2752 Nloedjin.exe 2904 Nbinad32.exe 2904 Nbinad32.exe 2396 Nicfnn32.exe 2396 Nicfnn32.exe 2764 Nnpofe32.exe 2764 Nnpofe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ekgfkl32.exe Ekblplgo.exe File created C:\Windows\SysWOW64\Bmbmgjen.dll Nloedjin.exe File created C:\Windows\SysWOW64\Pmlngdhk.exe Pknakhig.exe File created C:\Windows\SysWOW64\Foqadnpq.exe Ficilgai.exe File created C:\Windows\SysWOW64\Acaoflhe.dll Ijhkembk.exe File created C:\Windows\SysWOW64\Oijmjdgq.dll Jblbpnhk.exe File created C:\Windows\SysWOW64\Gfbaeb32.dll Pacqlcdi.exe File opened for modification C:\Windows\SysWOW64\Aagfffbo.exe Alknnodh.exe File created C:\Windows\SysWOW64\Mcegqmpg.dll Mchadifq.exe File opened for modification C:\Windows\SysWOW64\Nfncad32.exe Nqakim32.exe File created C:\Windows\SysWOW64\Qicoleno.exe Qgdbpi32.exe File opened for modification C:\Windows\SysWOW64\Afqeaemk.exe Acbieing.exe File created C:\Windows\SysWOW64\Kpphgfli.dll Cgkanomj.exe File opened for modification C:\Windows\SysWOW64\Gknhjn32.exe Gcgpiq32.exe File created C:\Windows\SysWOW64\Qieklfmg.dll Lgdafeln.exe File created C:\Windows\SysWOW64\Lclijeeg.dll Mhlcnl32.exe File created C:\Windows\SysWOW64\Jlbjcd32.exe Jbjejojn.exe File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Mgjpcf32.exe File created C:\Windows\SysWOW64\Olkhll32.dll Gknhjn32.exe File created C:\Windows\SysWOW64\Dhkjod32.dll Jiaaaicm.exe File created C:\Windows\SysWOW64\Opgmqq32.dll Kfcadq32.exe File created C:\Windows\SysWOW64\Fkafkl32.dll Kpnbcfkc.exe File opened for modification C:\Windows\SysWOW64\Oicbma32.exe Opkndldc.exe File created C:\Windows\SysWOW64\Dpphipbk.exe Dcihdo32.exe File created C:\Windows\SysWOW64\Qielqc32.dll Elpldp32.exe File opened for modification C:\Windows\SysWOW64\Jlbjcd32.exe Jbjejojn.exe File opened for modification C:\Windows\SysWOW64\Lpmeojbo.exe Lgdafeln.exe File created C:\Windows\SysWOW64\Fabkfhch.dll Mnlilb32.exe File opened for modification C:\Windows\SysWOW64\Gjolpkhj.exe Gacgli32.exe File created C:\Windows\SysWOW64\Hejmhaqc.dll Jplinckj.exe File created C:\Windows\SysWOW64\Nkjeod32.exe Ndnplk32.exe File opened for modification C:\Windows\SysWOW64\Mccaodgj.exe Mfoqephq.exe File created C:\Windows\SysWOW64\Mbhnpplb.exe Mojaceln.exe File created C:\Windows\SysWOW64\Peolmb32.exe Pacqlcdi.exe File created C:\Windows\SysWOW64\Pknakhig.exe Phoeomjc.exe File created C:\Windows\SysWOW64\Kiamql32.exe Kfcadq32.exe File created C:\Windows\SysWOW64\Fmgklpjm.dll Lnlmmo32.exe File opened for modification C:\Windows\SysWOW64\Oejgbonl.exe Nnpofe32.exe File created C:\Windows\SysWOW64\Mhlcnl32.exe Lngpac32.exe File created C:\Windows\SysWOW64\Mjofanld.exe Mbhnpplb.exe File created C:\Windows\SysWOW64\Ldchdjom.exe Lgphke32.exe File opened for modification C:\Windows\SysWOW64\Mojaceln.exe Mfamko32.exe File opened for modification C:\Windows\SysWOW64\Ficilgai.exe Flphccbp.exe File created C:\Windows\SysWOW64\Hojqjp32.exe Hogddpld.exe File opened for modification C:\Windows\SysWOW64\Lngpac32.exe Lflklaoc.exe File created C:\Windows\SysWOW64\Mmchhqaf.dll Qpocno32.exe File created C:\Windows\SysWOW64\Bghlof32.dll Mchjjc32.exe File opened for modification C:\Windows\SysWOW64\Hmdnme32.exe Hfjfpkji.exe File created C:\Windows\SysWOW64\Lkepdbkb.exe Lafekm32.exe File opened for modification C:\Windows\SysWOW64\Olgehh32.exe Ncjcnfcn.exe File created C:\Windows\SysWOW64\Ohnemidj.exe Olgehh32.exe File created C:\Windows\SysWOW64\Bhfhnofg.exe Boncej32.exe File opened for modification C:\Windows\SysWOW64\Elpldp32.exe Eefdgeig.exe File created C:\Windows\SysWOW64\Ndhfppje.dll Ekblplgo.exe File created C:\Windows\SysWOW64\Hobjia32.exe Hmdnme32.exe File opened for modification C:\Windows\SysWOW64\Odaqikaa.exe Onehadbj.exe File opened for modification C:\Windows\SysWOW64\Ceoagcld.exe Cgkanomj.exe File created C:\Windows\SysWOW64\Gknnkain.dll Agilkijf.exe File created C:\Windows\SysWOW64\Omjdmfaj.dll Feccqime.exe File created C:\Windows\SysWOW64\Gacgli32.exe Goekpm32.exe File created C:\Windows\SysWOW64\Hoegoqng.exe Hmfkbeoc.exe File created C:\Windows\SysWOW64\Koehka32.dll Hmfkbeoc.exe File created C:\Windows\SysWOW64\Lafekm32.exe Lklmoccl.exe File opened for modification C:\Windows\SysWOW64\Mhlcnl32.exe Lngpac32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3476 3452 WerFault.exe 207 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moflkfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjjcogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggoeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjbpkag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloedjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjejojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfamko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdafeln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhikhefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkepdbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekblplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alknnodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokfpjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhmgbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkeol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagfffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqcki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goekpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccaodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkihpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbneekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifceemdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplinckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mookod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlmmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihlhagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojaceln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffcebdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmafmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgigpgkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlngdhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgfkl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkjod32.dll" Jiaaaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapbmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll" Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcoinndc.dll" Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnlmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmgklpjm.dll" Lnlmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlbjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geeqlobc.dll" Phoeomjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mookod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeimfgod.dll" Mmcbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhnpplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moflkfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoaabhm.dll" Alknnodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacqlcdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoemjgn.dll" Foqadnpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfoqephq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdkcgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gocnjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkpdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icponb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqemkl32.dll" Nbinad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inonmdda.dll" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgmqq32.dll" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jceahq32.dll" Nnhakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbfmc32.dll" Pihlhagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhbkmbo.dll" Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejmhaqc.dll" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfboi32.dll" Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmqcllm.dll" Ajjeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabpoe32.dll" Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagbnnje.dll" Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghalcja.dll" Opkndldc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijhkembk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njobpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdafeln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpaood32.dll" Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgkanomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmmge32.dll" Hfmbfkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinbpend.dll" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponioeij.dll" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koehka32.dll" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhcknpf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2212 2452 eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe 29 PID 2452 wrote to memory of 2212 2452 eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe 29 PID 2452 wrote to memory of 2212 2452 eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe 29 PID 2452 wrote to memory of 2212 2452 eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe 29 PID 2212 wrote to memory of 2828 2212 Kapbmo32.exe 30 PID 2212 wrote to memory of 2828 2212 Kapbmo32.exe 30 PID 2212 wrote to memory of 2828 2212 Kapbmo32.exe 30 PID 2212 wrote to memory of 2828 2212 Kapbmo32.exe 30 PID 2828 wrote to memory of 1240 2828 Kabobo32.exe 31 PID 2828 wrote to memory of 1240 2828 Kabobo32.exe 31 PID 2828 wrote to memory of 1240 2828 Kabobo32.exe 31 PID 2828 wrote to memory of 1240 2828 Kabobo32.exe 31 PID 1240 wrote to memory of 2844 1240 Lgphke32.exe 32 PID 1240 wrote to memory of 2844 1240 Lgphke32.exe 32 PID 1240 wrote to memory of 2844 1240 Lgphke32.exe 32 PID 1240 wrote to memory of 2844 1240 Lgphke32.exe 32 PID 2844 wrote to memory of 2900 2844 Ldchdjom.exe 33 PID 2844 wrote to memory of 2900 2844 Ldchdjom.exe 33 PID 2844 wrote to memory of 2900 2844 Ldchdjom.exe 33 PID 2844 wrote to memory of 2900 2844 Ldchdjom.exe 33 PID 2900 wrote to memory of 2748 2900 Lnlmmo32.exe 34 PID 2900 wrote to memory of 2748 2900 Lnlmmo32.exe 34 PID 2900 wrote to memory of 2748 2900 Lnlmmo32.exe 34 PID 2900 wrote to memory of 2748 2900 Lnlmmo32.exe 34 PID 2748 wrote to memory of 2612 2748 Lgdafeln.exe 35 PID 2748 wrote to memory of 2612 2748 Lgdafeln.exe 35 PID 2748 wrote to memory of 2612 2748 Lgdafeln.exe 35 PID 2748 wrote to memory of 2612 2748 Lgdafeln.exe 35 PID 2612 wrote to memory of 2504 2612 Lpmeojbo.exe 36 PID 2612 wrote to memory of 2504 2612 Lpmeojbo.exe 36 PID 2612 wrote to memory of 2504 2612 Lpmeojbo.exe 36 PID 2612 wrote to memory of 2504 2612 Lpmeojbo.exe 36 PID 2504 wrote to memory of 2980 2504 Lfingaaf.exe 37 PID 2504 wrote to memory of 2980 2504 Lfingaaf.exe 37 PID 2504 wrote to memory of 2980 2504 Lfingaaf.exe 37 PID 2504 wrote to memory of 2980 2504 Lfingaaf.exe 37 PID 2980 wrote to memory of 2948 2980 Lkffohon.exe 38 PID 2980 wrote to memory of 2948 2980 Lkffohon.exe 38 PID 2980 wrote to memory of 2948 2980 Lkffohon.exe 38 PID 2980 wrote to memory of 2948 2980 Lkffohon.exe 38 PID 2948 wrote to memory of 2320 2948 Lflklaoc.exe 39 PID 2948 wrote to memory of 2320 2948 Lflklaoc.exe 39 PID 2948 wrote to memory of 2320 2948 Lflklaoc.exe 39 PID 2948 wrote to memory of 2320 2948 Lflklaoc.exe 39 PID 2320 wrote to memory of 796 2320 Lngpac32.exe 40 PID 2320 wrote to memory of 796 2320 Lngpac32.exe 40 PID 2320 wrote to memory of 796 2320 Lngpac32.exe 40 PID 2320 wrote to memory of 796 2320 Lngpac32.exe 40 PID 796 wrote to memory of 2484 796 Mhlcnl32.exe 41 PID 796 wrote to memory of 2484 796 Mhlcnl32.exe 41 PID 796 wrote to memory of 2484 796 Mhlcnl32.exe 41 PID 796 wrote to memory of 2484 796 Mhlcnl32.exe 41 PID 2484 wrote to memory of 2592 2484 Moflkfca.exe 42 PID 2484 wrote to memory of 2592 2484 Moflkfca.exe 42 PID 2484 wrote to memory of 2592 2484 Moflkfca.exe 42 PID 2484 wrote to memory of 2592 2484 Moflkfca.exe 42 PID 2592 wrote to memory of 2464 2592 Mhopcl32.exe 43 PID 2592 wrote to memory of 2464 2592 Mhopcl32.exe 43 PID 2592 wrote to memory of 2464 2592 Mhopcl32.exe 43 PID 2592 wrote to memory of 2464 2592 Mhopcl32.exe 43 PID 2464 wrote to memory of 1556 2464 Mnlilb32.exe 44 PID 2464 wrote to memory of 1556 2464 Mnlilb32.exe 44 PID 2464 wrote to memory of 1556 2464 Mnlilb32.exe 44 PID 2464 wrote to memory of 1556 2464 Mnlilb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe"C:\Users\Admin\AppData\Local\Temp\eed7dede10ecf9a784bd95894cceaf169984caeccaf2329a903762501e93e347.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe33⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe37⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe38⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe40⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe42⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe43⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe48⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe49⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe51⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe58⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe63⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe66⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe69⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe73⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe75⤵PID:2584
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe76⤵PID:3060
-
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Bmhmgbif.exeC:\Windows\system32\Bmhmgbif.exe78⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe79⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe80⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe84⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe85⤵PID:1484
-
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe87⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe89⤵PID:2052
-
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe91⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Eahkag32.exeC:\Windows\system32\Eahkag32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe93⤵PID:648
-
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe94⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Ekgfkl32.exeC:\Windows\system32\Ekgfkl32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe101⤵PID:2440
-
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Flphccbp.exeC:\Windows\system32\Flphccbp.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe106⤵PID:3028
-
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe107⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe108⤵PID:956
-
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe111⤵
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Gcgpiq32.exeC:\Windows\system32\Gcgpiq32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe113⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe116⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe118⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe119⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe121⤵
- Modifies registry class
PID:560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-