Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 08:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebfc03e219b7c0967734075bc25bb930N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ebfc03e219b7c0967734075bc25bb930N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ebfc03e219b7c0967734075bc25bb930N.exe
-
Size
94KB
-
MD5
ebfc03e219b7c0967734075bc25bb930
-
SHA1
66a879a47bdb34f2423800c55b44bf7244777de0
-
SHA256
3c1fb6c8ec156821ea97993f6f4656ce81a6b0a9aced5db93bd451a5f84aba6a
-
SHA512
5c50a675a3779d26293ef2f8335628ebb71d7140d1be3ba7b1d226cf586f3e8a52f4d5d3534d1f0c1843cfd6dc133353d4fa337f330e910bde10a3ef3a5fb08e
-
SSDEEP
1536:NJQgBaAuINh3KX6y1cbxqrf2LDS5DUHRbPa9b6i+sImo71+jqx:NJsAvfaqyOxRDS5DSCopsIm81+jqx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqcmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolofd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalhgogb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhfdffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdojnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfnckhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmckpko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codbqonk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiebnjbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooggpiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doabjbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcqjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clciod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbqgldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdeoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Floeof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefhlcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejmmqpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqfabdaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjcjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhehpbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeoidik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmeebpkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbqgldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibbgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmchcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllcnega.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eannmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icplje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijfch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibbgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakaaepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbhjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmaed32.exe -
Executes dropped EXE 64 IoCs
pid Process 2796 Peeoidik.exe 2116 Pdhpdq32.exe 2592 Ppopja32.exe 2564 Qjddgj32.exe 3012 Qmbqcf32.exe 408 Qfkelkkd.exe 2960 Qiiahgjh.exe 296 Qbafalph.exe 1164 Afmbak32.exe 2216 Aohgfm32.exe 2224 Abdbflnf.exe 1304 Aphcppmo.exe 1364 Aedlhg32.exe 2308 Aipgifcp.exe 2344 Akadpn32.exe 692 Aaklmhak.exe 600 Adjhicpo.exe 928 Anbmbi32.exe 1292 Aanibhoh.exe 2324 Agkako32.exe 2980 Andjgidl.exe 812 Bikjmj32.exe 1048 Babbng32.exe 2232 Bkkgfm32.exe 2696 Bllcnega.exe 2840 Bphooc32.exe 2804 Bedhgj32.exe 2848 Blnpddeo.exe 2524 Bomlppdb.exe 2584 Bgddam32.exe 1532 Blqmid32.exe 1508 Clciod32.exe 2260 Ccmblnif.exe 1732 Codbqonk.exe 2448 Cngcll32.exe 2464 Cgogealf.exe 2148 Cofofolh.exe 1700 Cnipak32.exe 1256 Chocodch.exe 2528 Cqjhcfpc.exe 2428 Cdedde32.exe 2460 Ckomqopi.exe 1484 Cjbmll32.exe 1888 Dfinam32.exe 2300 Djdjalea.exe 1764 Dqobnf32.exe 1012 Doabjbci.exe 1916 Dghjkpck.exe 2576 Djgfgkbo.exe 2700 Dijfch32.exe 2164 Dmebcgbb.exe 2632 Docopbaf.exe 1976 Dbbklnpj.exe 1344 Dmgoif32.exe 2432 Dkjpdcfj.exe 2608 Dcageqgm.exe 2004 Dfpcblfp.exe 1284 Dinpnged.exe 1648 Dkmljcdh.exe 2352 Dnkhfnck.exe 1168 Dfbqgldn.exe 1908 Deeqch32.exe 1312 Dgcmod32.exe 856 Epkepakn.exe -
Loads dropped DLL 64 IoCs
pid Process 2076 ebfc03e219b7c0967734075bc25bb930N.exe 2076 ebfc03e219b7c0967734075bc25bb930N.exe 2796 Peeoidik.exe 2796 Peeoidik.exe 2116 Pdhpdq32.exe 2116 Pdhpdq32.exe 2592 Ppopja32.exe 2592 Ppopja32.exe 2564 Qjddgj32.exe 2564 Qjddgj32.exe 3012 Qmbqcf32.exe 3012 Qmbqcf32.exe 408 Qfkelkkd.exe 408 Qfkelkkd.exe 2960 Qiiahgjh.exe 2960 Qiiahgjh.exe 296 Qbafalph.exe 296 Qbafalph.exe 1164 Afmbak32.exe 1164 Afmbak32.exe 2216 Aohgfm32.exe 2216 Aohgfm32.exe 2224 Abdbflnf.exe 2224 Abdbflnf.exe 1304 Aphcppmo.exe 1304 Aphcppmo.exe 1364 Aedlhg32.exe 1364 Aedlhg32.exe 2308 Aipgifcp.exe 2308 Aipgifcp.exe 2344 Akadpn32.exe 2344 Akadpn32.exe 692 Aaklmhak.exe 692 Aaklmhak.exe 600 Adjhicpo.exe 600 Adjhicpo.exe 928 Anbmbi32.exe 928 Anbmbi32.exe 1292 Aanibhoh.exe 1292 Aanibhoh.exe 2324 Agkako32.exe 2324 Agkako32.exe 2980 Andjgidl.exe 2980 Andjgidl.exe 812 Bikjmj32.exe 812 Bikjmj32.exe 1048 Babbng32.exe 1048 Babbng32.exe 2232 Bkkgfm32.exe 2232 Bkkgfm32.exe 2696 Bllcnega.exe 2696 Bllcnega.exe 2840 Bphooc32.exe 2840 Bphooc32.exe 2804 Bedhgj32.exe 2804 Bedhgj32.exe 2848 Blnpddeo.exe 2848 Blnpddeo.exe 2524 Bomlppdb.exe 2524 Bomlppdb.exe 2584 Bgddam32.exe 2584 Bgddam32.exe 1532 Blqmid32.exe 1532 Blqmid32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pbjifgcd.exe Plpqim32.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Cdkkcp32.exe File created C:\Windows\SysWOW64\Dbbklnpj.exe Docopbaf.exe File created C:\Windows\SysWOW64\Gaeqmk32.exe Flhhed32.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jihdnk32.exe File opened for modification C:\Windows\SysWOW64\Miclhpjp.exe Maldfbjn.exe File opened for modification C:\Windows\SysWOW64\Djdjalea.exe Dfinam32.exe File created C:\Windows\SysWOW64\Dkjpdcfj.exe Dmgoif32.exe File created C:\Windows\SysWOW64\Iqapnjli.exe Hbnpbm32.exe File opened for modification C:\Windows\SysWOW64\Amoibc32.exe Ajamfh32.exe File created C:\Windows\SysWOW64\Dmebcgbb.exe Dijfch32.exe File created C:\Windows\SysWOW64\Jjnjqb32.exe Jkkjeeke.exe File created C:\Windows\SysWOW64\Lpaehl32.exe Laodmoep.exe File created C:\Windows\SysWOW64\Einlmkhp.exe Efppqoil.exe File created C:\Windows\SysWOW64\Ijqjgo32.exe Ibibfa32.exe File created C:\Windows\SysWOW64\Elllck32.dll Iifghk32.exe File created C:\Windows\SysWOW64\Ldkdckff.exe Lalhgogb.exe File created C:\Windows\SysWOW64\Cpfhcjhd.dll Nfglfdeb.exe File created C:\Windows\SysWOW64\Eiilge32.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Jnllkimj.dll Cjbmll32.exe File opened for modification C:\Windows\SysWOW64\Gdjcjf32.exe Glckihcg.exe File created C:\Windows\SysWOW64\Hhmhcigh.exe Genlgnhd.exe File created C:\Windows\SysWOW64\Ppfafphp.dll Kflafbak.exe File created C:\Windows\SysWOW64\Qblfkgqb.exe Qpniokan.exe File created C:\Windows\SysWOW64\Ihcbim32.dll Qblfkgqb.exe File created C:\Windows\SysWOW64\Hclemh32.dll Dqfabdaf.exe File opened for modification C:\Windows\SysWOW64\Enhaeldn.exe Elieipej.exe File opened for modification C:\Windows\SysWOW64\Fhmldfdm.exe Fenphjei.exe File created C:\Windows\SysWOW64\Ggdekbgb.exe Gdfiofhn.exe File created C:\Windows\SysWOW64\Imjmhkpj.exe Ijlaloaf.exe File created C:\Windows\SysWOW64\Bnlpkh32.dll Jkkjeeke.exe File created C:\Windows\SysWOW64\Heldbm32.dll ebfc03e219b7c0967734075bc25bb930N.exe File created C:\Windows\SysWOW64\Ngbpehpj.exe Nddcimag.exe File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Mofapq32.dll Elieipej.exe File created C:\Windows\SysWOW64\Lmglihnc.dll Ndfpnl32.exe File created C:\Windows\SysWOW64\Dnknlm32.dll Cgjgol32.exe File opened for modification C:\Windows\SysWOW64\Eqngcc32.exe Eifobe32.exe File created C:\Windows\SysWOW64\Afmbak32.exe Qbafalph.exe File created C:\Windows\SysWOW64\Dfmkfcib.dll Cdedde32.exe File created C:\Windows\SysWOW64\Fiqibj32.exe Ffbmfo32.exe File created C:\Windows\SysWOW64\Bgdkfk32.dll Ggdekbgb.exe File opened for modification C:\Windows\SysWOW64\Iqapnjli.exe Hbnpbm32.exe File opened for modification C:\Windows\SysWOW64\Leegbnan.exe Lolofd32.exe File opened for modification C:\Windows\SysWOW64\Oggeokoq.exe Oehicoom.exe File opened for modification C:\Windows\SysWOW64\Dkgldm32.exe Dhiphb32.exe File created C:\Windows\SysWOW64\Ajnqphhe.exe Ahpddmia.exe File created C:\Windows\SysWOW64\Kglenb32.dll Cnhhge32.exe File opened for modification C:\Windows\SysWOW64\Emeobj32.exe Ejfbfo32.exe File opened for modification C:\Windows\SysWOW64\Mlolnllf.exe Mhdpnm32.exe File created C:\Windows\SysWOW64\Miclhpjp.exe Maldfbjn.exe File created C:\Windows\SysWOW64\Moenkf32.exe Mgnfji32.exe File created C:\Windows\SysWOW64\Jfjhbo32.exe Jbnlaqhi.exe File opened for modification C:\Windows\SysWOW64\Cbjnqh32.exe Coladm32.exe File created C:\Windows\SysWOW64\Noingpnc.dll Dfbqgldn.exe File created C:\Windows\SysWOW64\Lhimji32.exe Lpaehl32.exe File opened for modification C:\Windows\SysWOW64\Pbglpg32.exe Pcdldknm.exe File created C:\Windows\SysWOW64\Aeokba32.exe Aadobccg.exe File created C:\Windows\SysWOW64\Dfinam32.exe Cjbmll32.exe File opened for modification C:\Windows\SysWOW64\Deeqch32.exe Dfbqgldn.exe File created C:\Windows\SysWOW64\Eoeffhea.dll Iqapnjli.exe File opened for modification C:\Windows\SysWOW64\Meecaa32.exe Mcggef32.exe File created C:\Windows\SysWOW64\Obecld32.exe Ooggpiek.exe File opened for modification C:\Windows\SysWOW64\Qjgjpi32.exe Qldjdlgb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5644 5620 WerFault.exe 474 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glckihcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijmbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blipno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpelq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmblnif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiaipmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedhgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdfqogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkilka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdldknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknhdjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khojcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinpnged.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggklka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgjdong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmalgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boleejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqhdmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebfc03e219b7c0967734075bc25bb930N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkepakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibbgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbclamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnabffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbenacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncjad32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpccle32.dll" Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaefhgm.dll" Dgcmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcdgpcj.dll" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkooael.dll" Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noingpnc.dll" Dfbqgldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficfbkij.dll" Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldbm32.dll" ebfc03e219b7c0967734075bc25bb930N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkaegg32.dll" Ckomqopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekbn32.dll" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkagib32.dll" Ojeakfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllcnega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhjppcf.dll" Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfkbpjk.dll" Aaflgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blipno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlboca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiokholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blqmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onebep32.dll" Gajjhkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhbgpia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpfpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofofolh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggdekbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhiaadn.dll" Geloanjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgjdong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agkako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmebcgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlohmonb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofbagcb.dll" Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihkmh32.dll" Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Blqmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbklnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahcle32.dll" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajpkkj.dll" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipgifcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feiepkmi.dll" Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkffhjh.dll" Gagmbkik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icplje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnboph.dll" Dqddmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifobe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgehjlpm.dll" Cofofolh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2796 2076 ebfc03e219b7c0967734075bc25bb930N.exe 30 PID 2076 wrote to memory of 2796 2076 ebfc03e219b7c0967734075bc25bb930N.exe 30 PID 2076 wrote to memory of 2796 2076 ebfc03e219b7c0967734075bc25bb930N.exe 30 PID 2076 wrote to memory of 2796 2076 ebfc03e219b7c0967734075bc25bb930N.exe 30 PID 2796 wrote to memory of 2116 2796 Peeoidik.exe 31 PID 2796 wrote to memory of 2116 2796 Peeoidik.exe 31 PID 2796 wrote to memory of 2116 2796 Peeoidik.exe 31 PID 2796 wrote to memory of 2116 2796 Peeoidik.exe 31 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2592 wrote to memory of 2564 2592 Ppopja32.exe 33 PID 2592 wrote to memory of 2564 2592 Ppopja32.exe 33 PID 2592 wrote to memory of 2564 2592 Ppopja32.exe 33 PID 2592 wrote to memory of 2564 2592 Ppopja32.exe 33 PID 2564 wrote to memory of 3012 2564 Qjddgj32.exe 34 PID 2564 wrote to memory of 3012 2564 Qjddgj32.exe 34 PID 2564 wrote to memory of 3012 2564 Qjddgj32.exe 34 PID 2564 wrote to memory of 3012 2564 Qjddgj32.exe 34 PID 3012 wrote to memory of 408 3012 Qmbqcf32.exe 35 PID 3012 wrote to memory of 408 3012 Qmbqcf32.exe 35 PID 3012 wrote to memory of 408 3012 Qmbqcf32.exe 35 PID 3012 wrote to memory of 408 3012 Qmbqcf32.exe 35 PID 408 wrote to memory of 2960 408 Qfkelkkd.exe 36 PID 408 wrote to memory of 2960 408 Qfkelkkd.exe 36 PID 408 wrote to memory of 2960 408 Qfkelkkd.exe 36 PID 408 wrote to memory of 2960 408 Qfkelkkd.exe 36 PID 2960 wrote to memory of 296 2960 Qiiahgjh.exe 37 PID 2960 wrote to memory of 296 2960 Qiiahgjh.exe 37 PID 2960 wrote to memory of 296 2960 Qiiahgjh.exe 37 PID 2960 wrote to memory of 296 2960 Qiiahgjh.exe 37 PID 296 wrote to memory of 1164 296 Qbafalph.exe 38 PID 296 wrote to memory of 1164 296 Qbafalph.exe 38 PID 296 wrote to memory of 1164 296 Qbafalph.exe 38 PID 296 wrote to memory of 1164 296 Qbafalph.exe 38 PID 1164 wrote to memory of 2216 1164 Afmbak32.exe 39 PID 1164 wrote to memory of 2216 1164 Afmbak32.exe 39 PID 1164 wrote to memory of 2216 1164 Afmbak32.exe 39 PID 1164 wrote to memory of 2216 1164 Afmbak32.exe 39 PID 2216 wrote to memory of 2224 2216 Aohgfm32.exe 40 PID 2216 wrote to memory of 2224 2216 Aohgfm32.exe 40 PID 2216 wrote to memory of 2224 2216 Aohgfm32.exe 40 PID 2216 wrote to memory of 2224 2216 Aohgfm32.exe 40 PID 2224 wrote to memory of 1304 2224 Abdbflnf.exe 41 PID 2224 wrote to memory of 1304 2224 Abdbflnf.exe 41 PID 2224 wrote to memory of 1304 2224 Abdbflnf.exe 41 PID 2224 wrote to memory of 1304 2224 Abdbflnf.exe 41 PID 1304 wrote to memory of 1364 1304 Aphcppmo.exe 42 PID 1304 wrote to memory of 1364 1304 Aphcppmo.exe 42 PID 1304 wrote to memory of 1364 1304 Aphcppmo.exe 42 PID 1304 wrote to memory of 1364 1304 Aphcppmo.exe 42 PID 1364 wrote to memory of 2308 1364 Aedlhg32.exe 43 PID 1364 wrote to memory of 2308 1364 Aedlhg32.exe 43 PID 1364 wrote to memory of 2308 1364 Aedlhg32.exe 43 PID 1364 wrote to memory of 2308 1364 Aedlhg32.exe 43 PID 2308 wrote to memory of 2344 2308 Aipgifcp.exe 44 PID 2308 wrote to memory of 2344 2308 Aipgifcp.exe 44 PID 2308 wrote to memory of 2344 2308 Aipgifcp.exe 44 PID 2308 wrote to memory of 2344 2308 Aipgifcp.exe 44 PID 2344 wrote to memory of 692 2344 Akadpn32.exe 45 PID 2344 wrote to memory of 692 2344 Akadpn32.exe 45 PID 2344 wrote to memory of 692 2344 Akadpn32.exe 45 PID 2344 wrote to memory of 692 2344 Akadpn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebfc03e219b7c0967734075bc25bb930N.exe"C:\Users\Admin\AppData\Local\Temp\ebfc03e219b7c0967734075bc25bb930N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe37⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe39⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe40⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe41⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe46⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe47⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe49⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe50⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe56⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe58⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe60⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe61⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe66⤵PID:1968
-
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe67⤵PID:1948
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe68⤵PID:1612
-
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe69⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe72⤵PID:3052
-
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe74⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe75⤵PID:1704
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe76⤵PID:2392
-
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe78⤵PID:1036
-
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe80⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe81⤵PID:860
-
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe82⤵PID:2744
-
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe87⤵PID:2572
-
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe88⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe90⤵PID:1692
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe93⤵PID:1412
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe94⤵PID:2112
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe95⤵PID:1380
-
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe96⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe98⤵PID:2892
-
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe99⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe100⤵PID:2736
-
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe101⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe102⤵PID:2252
-
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe103⤵PID:2068
-
C:\Windows\SysWOW64\Ghoijebj.exeC:\Windows\system32\Ghoijebj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe108⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe111⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe113⤵PID:2748
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe114⤵PID:1052
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe117⤵PID:572
-
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe118⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe119⤵PID:2708
-
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe120⤵PID:1516
-
C:\Windows\SysWOW64\Goddjc32.exeC:\Windows\system32\Goddjc32.exe121⤵PID:2712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-