Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 14:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5af3f61d4880f22efb29e373c2692ae0N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
5af3f61d4880f22efb29e373c2692ae0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5af3f61d4880f22efb29e373c2692ae0N.exe
-
Size
52KB
-
MD5
5af3f61d4880f22efb29e373c2692ae0
-
SHA1
0c444c9d3daacb82c953d113c661b2b4b185e0b5
-
SHA256
b399958ba56d948c7339d232dab820a43731bd2fec549a1d5d84f636bd1b688a
-
SHA512
704789f468a22c077778b27f4cb4dd2dea722c78dd399514bf8d77b0c0f6648f7d8c751c9c8b5cef54c795f824441e779432f837e663cf17a4d2f4ef5bdae1d2
-
SSDEEP
768:zepJVo/eG8/sUe7YgBtSTJfUJa6Osf5coX/1H5F/sLO0MABvKWe:ypJu/hTfMItS180+T2MAdKZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbmelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclicpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggpdnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filgbdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojhejbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfmbibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcogbdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhdkdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbfmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifelgmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbncjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqfaldbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggpdnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heikgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anneqafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe -
Executes dropped EXE 64 IoCs
pid Process 2516 Pdgkco32.exe 2704 Pjcckf32.exe 2824 Pdihiook.exe 2616 Pkcpei32.exe 2792 Pmdmmalf.exe 2612 Pdldnomh.exe 1760 Qjhmfekp.exe 2856 Qmgibqjc.exe 1840 Qglmpi32.exe 1104 Qinjgbpg.exe 1992 Qqdbiopj.exe 2296 Accnekon.exe 572 Aipfmane.exe 1636 Amkbnp32.exe 1604 Afdgfelo.exe 2492 Amnocpdk.exe 1648 Anolkh32.exe 1668 Affdle32.exe 1572 Aggpdnpj.exe 1044 Anahqh32.exe 2392 Aapemc32.exe 1936 Agjmim32.exe 1500 Ajhiei32.exe 1804 Aababceh.exe 556 Agljom32.exe 2876 Ajjfkh32.exe 3064 Bnfblgca.exe 2656 Bgnfdm32.exe 2732 Bnhoag32.exe 1004 Bagkmb32.exe 2424 Bgqcjlhp.exe 2864 Bjoofhgc.exe 1524 Bplhnoej.exe 1880 Bbjdjjdn.exe 2456 Bjallg32.exe 2096 Bidlgdlk.exe 264 Blchcpko.exe 584 Bcjqdmla.exe 2324 Bfhmqhkd.exe 2496 Bekmle32.exe 1320 Bmbemb32.exe 1532 Bpqain32.exe 1568 Bncaekhp.exe 1224 Bfkifhib.exe 2320 Cemjae32.exe 2184 Chlfnp32.exe 896 Cpcnonob.exe 1732 Cbajkiof.exe 2808 Cadjgf32.exe 2920 Cikbhc32.exe 2784 Chnbcpmn.exe 2180 Cjmopkla.exe 1864 Cohkpj32.exe 1968 Cbdgqimc.exe 2428 Cebcmdlg.exe 1832 Chqoipkk.exe 2008 Ckolek32.exe 2312 Cojhejbh.exe 652 Caidaeak.exe 1176 Cedpbd32.exe 2336 Chcloo32.exe 1756 Ckahkk32.exe 1548 Cmpdgf32.exe 924 Cakqgeoi.exe -
Loads dropped DLL 64 IoCs
pid Process 2092 5af3f61d4880f22efb29e373c2692ae0N.exe 2092 5af3f61d4880f22efb29e373c2692ae0N.exe 2516 Pdgkco32.exe 2516 Pdgkco32.exe 2704 Pjcckf32.exe 2704 Pjcckf32.exe 2824 Pdihiook.exe 2824 Pdihiook.exe 2616 Pkcpei32.exe 2616 Pkcpei32.exe 2792 Pmdmmalf.exe 2792 Pmdmmalf.exe 2612 Pdldnomh.exe 2612 Pdldnomh.exe 1760 Qjhmfekp.exe 1760 Qjhmfekp.exe 2856 Qmgibqjc.exe 2856 Qmgibqjc.exe 1840 Qglmpi32.exe 1840 Qglmpi32.exe 1104 Qinjgbpg.exe 1104 Qinjgbpg.exe 1992 Qqdbiopj.exe 1992 Qqdbiopj.exe 2296 Accnekon.exe 2296 Accnekon.exe 572 Aipfmane.exe 572 Aipfmane.exe 1636 Amkbnp32.exe 1636 Amkbnp32.exe 1604 Afdgfelo.exe 1604 Afdgfelo.exe 2492 Amnocpdk.exe 2492 Amnocpdk.exe 1648 Anolkh32.exe 1648 Anolkh32.exe 1668 Affdle32.exe 1668 Affdle32.exe 1572 Aggpdnpj.exe 1572 Aggpdnpj.exe 1044 Anahqh32.exe 1044 Anahqh32.exe 2392 Aapemc32.exe 2392 Aapemc32.exe 1936 Agjmim32.exe 1936 Agjmim32.exe 1500 Ajhiei32.exe 1500 Ajhiei32.exe 1804 Aababceh.exe 1804 Aababceh.exe 556 Agljom32.exe 556 Agljom32.exe 2876 Ajjfkh32.exe 2876 Ajjfkh32.exe 3064 Bnfblgca.exe 3064 Bnfblgca.exe 2656 Bgnfdm32.exe 2656 Bgnfdm32.exe 2732 Bnhoag32.exe 2732 Bnhoag32.exe 1004 Bagkmb32.exe 1004 Bagkmb32.exe 2424 Bgqcjlhp.exe 2424 Bgqcjlhp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chnbcpmn.exe Cikbhc32.exe File created C:\Windows\SysWOW64\Pbjdnlob.dll Jaoqqflp.exe File created C:\Windows\SysWOW64\Lhnkffeo.exe Ldbofgme.exe File created C:\Windows\SysWOW64\Dmdnbecj.exe Dmdnbecj.exe File created C:\Windows\SysWOW64\Qmkfmdne.dll Gildahhp.exe File created C:\Windows\SysWOW64\Hlccdboi.exe Hdlkcdog.exe File created C:\Windows\SysWOW64\Akgddhmc.dll Hkiicmdh.exe File created C:\Windows\SysWOW64\Jhebgh32.dll Khghgchk.exe File created C:\Windows\SysWOW64\Gkcapaif.dll Epecbd32.exe File created C:\Windows\SysWOW64\Ielclkhe.exe Ibmgpoia.exe File created C:\Windows\SysWOW64\Mkaghg32.exe Micklk32.exe File created C:\Windows\SysWOW64\Pniqhlqh.dll Peedka32.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Nplimbka.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nncbdomg.exe File opened for modification C:\Windows\SysWOW64\Oaghki32.exe Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Phcilf32.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Lcdfnehp.exe Lohjnf32.exe File created C:\Windows\SysWOW64\Lcjlnpmo.exe Lonpma32.exe File created C:\Windows\SysWOW64\Ciffggmh.dll Mggabaea.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Oiffkkbk.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Qiioon32.exe File created C:\Windows\SysWOW64\Maanne32.dll Ajpepm32.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bieopm32.exe File created C:\Windows\SysWOW64\Qqdbiopj.exe Qinjgbpg.exe File created C:\Windows\SysWOW64\Opakbgif.dll Chlfnp32.exe File created C:\Windows\SysWOW64\Fjdnlhco.exe Ffibkj32.exe File created C:\Windows\SysWOW64\Jkpbdq32.exe Jgdfdbhk.exe File opened for modification C:\Windows\SysWOW64\Epbfmd32.exe Eoajel32.exe File created C:\Windows\SysWOW64\Ehjona32.exe Epbfmd32.exe File created C:\Windows\SysWOW64\Iigpli32.exe Ielclkhe.exe File created C:\Windows\SysWOW64\Kpcqnf32.exe Khlili32.exe File opened for modification C:\Windows\SysWOW64\Gdhkfd32.exe Gbjojh32.exe File opened for modification C:\Windows\SysWOW64\Gblkoham.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Ggicgopd.exe Gdkgkcpq.exe File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe Lcofio32.exe File created C:\Windows\SysWOW64\Lqcmmjko.exe Lmgalkcf.exe File created C:\Windows\SysWOW64\Lgmeid32.exe Lqcmmjko.exe File created C:\Windows\SysWOW64\Jdodbpja.dll Mihdgkpp.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Demofaol.exe File created C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Bfioia32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Iplnnd32.exe Imnbbi32.exe File created C:\Windows\SysWOW64\Ljcmklhm.dll Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Aknlofim.exe Acfdnihk.exe File created C:\Windows\SysWOW64\Jncfhkjh.dll Fcbecl32.exe File created C:\Windows\SysWOW64\Cfibop32.dll Pdeqfhjd.exe File created C:\Windows\SysWOW64\Fjbafi32.exe Fgcejm32.exe File created C:\Windows\SysWOW64\Gqiimfam.exe Gnkmqkbi.exe File opened for modification C:\Windows\SysWOW64\Aobnniji.exe Aqonbm32.exe File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Ippdgc32.exe File created C:\Windows\SysWOW64\Kaajei32.exe Kocmim32.exe File created C:\Windows\SysWOW64\Jendoajo.dll Afffenbp.exe File created C:\Windows\SysWOW64\Nbhbjgmd.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Ipcibkff.dll Eoompl32.exe File opened for modification C:\Windows\SysWOW64\Bammlq32.exe Bbjmpcab.exe File created C:\Windows\SysWOW64\Cbfhib32.dll Qglmpi32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Dfigpahm.dll Dmhdkdlg.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dphmloih.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Nqnpei32.dll Ibkkjp32.exe File created C:\Windows\SysWOW64\Lkfddc32.exe Lgkhdddo.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8784 8480 WerFault.exe 951 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpegcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbeofpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcnojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeielfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgalkcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheecbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khielcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekmle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbniid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhonngce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfdhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcoce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhgip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhlkkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqnkafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aababceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpeeqig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anolkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipokcdjn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckahkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmljgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjpmh32.dll" Obdojcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlccdboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcfig32.dll" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacjhob.dll" Lpnmgdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll" Kcgphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpife32.dll" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpamde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niedqnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmepgp32.dll" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdnbdld.dll" Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioiepeog.dll" Mjkndb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boidnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnipkkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnhci32.dll" Ldjpbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmcchlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqlicclo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niplmn32.dll" Maefamlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idicbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biliep32.dll" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhadf32.dll" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmlem32.dll" Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfblgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihniaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemgplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngndfk32.dll" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljomn32.dll" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jojkco32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2516 2092 5af3f61d4880f22efb29e373c2692ae0N.exe 30 PID 2092 wrote to memory of 2516 2092 5af3f61d4880f22efb29e373c2692ae0N.exe 30 PID 2092 wrote to memory of 2516 2092 5af3f61d4880f22efb29e373c2692ae0N.exe 30 PID 2092 wrote to memory of 2516 2092 5af3f61d4880f22efb29e373c2692ae0N.exe 30 PID 2516 wrote to memory of 2704 2516 Pdgkco32.exe 31 PID 2516 wrote to memory of 2704 2516 Pdgkco32.exe 31 PID 2516 wrote to memory of 2704 2516 Pdgkco32.exe 31 PID 2516 wrote to memory of 2704 2516 Pdgkco32.exe 31 PID 2704 wrote to memory of 2824 2704 Pjcckf32.exe 32 PID 2704 wrote to memory of 2824 2704 Pjcckf32.exe 32 PID 2704 wrote to memory of 2824 2704 Pjcckf32.exe 32 PID 2704 wrote to memory of 2824 2704 Pjcckf32.exe 32 PID 2824 wrote to memory of 2616 2824 Pdihiook.exe 33 PID 2824 wrote to memory of 2616 2824 Pdihiook.exe 33 PID 2824 wrote to memory of 2616 2824 Pdihiook.exe 33 PID 2824 wrote to memory of 2616 2824 Pdihiook.exe 33 PID 2616 wrote to memory of 2792 2616 Pkcpei32.exe 34 PID 2616 wrote to memory of 2792 2616 Pkcpei32.exe 34 PID 2616 wrote to memory of 2792 2616 Pkcpei32.exe 34 PID 2616 wrote to memory of 2792 2616 Pkcpei32.exe 34 PID 2792 wrote to memory of 2612 2792 Pmdmmalf.exe 35 PID 2792 wrote to memory of 2612 2792 Pmdmmalf.exe 35 PID 2792 wrote to memory of 2612 2792 Pmdmmalf.exe 35 PID 2792 wrote to memory of 2612 2792 Pmdmmalf.exe 35 PID 2612 wrote to memory of 1760 2612 Pdldnomh.exe 36 PID 2612 wrote to memory of 1760 2612 Pdldnomh.exe 36 PID 2612 wrote to memory of 1760 2612 Pdldnomh.exe 36 PID 2612 wrote to memory of 1760 2612 Pdldnomh.exe 36 PID 1760 wrote to memory of 2856 1760 Qjhmfekp.exe 37 PID 1760 wrote to memory of 2856 1760 Qjhmfekp.exe 37 PID 1760 wrote to memory of 2856 1760 Qjhmfekp.exe 37 PID 1760 wrote to memory of 2856 1760 Qjhmfekp.exe 37 PID 2856 wrote to memory of 1840 2856 Qmgibqjc.exe 38 PID 2856 wrote to memory of 1840 2856 Qmgibqjc.exe 38 PID 2856 wrote to memory of 1840 2856 Qmgibqjc.exe 38 PID 2856 wrote to memory of 1840 2856 Qmgibqjc.exe 38 PID 1840 wrote to memory of 1104 1840 Qglmpi32.exe 39 PID 1840 wrote to memory of 1104 1840 Qglmpi32.exe 39 PID 1840 wrote to memory of 1104 1840 Qglmpi32.exe 39 PID 1840 wrote to memory of 1104 1840 Qglmpi32.exe 39 PID 1104 wrote to memory of 1992 1104 Qinjgbpg.exe 40 PID 1104 wrote to memory of 1992 1104 Qinjgbpg.exe 40 PID 1104 wrote to memory of 1992 1104 Qinjgbpg.exe 40 PID 1104 wrote to memory of 1992 1104 Qinjgbpg.exe 40 PID 1992 wrote to memory of 2296 1992 Qqdbiopj.exe 41 PID 1992 wrote to memory of 2296 1992 Qqdbiopj.exe 41 PID 1992 wrote to memory of 2296 1992 Qqdbiopj.exe 41 PID 1992 wrote to memory of 2296 1992 Qqdbiopj.exe 41 PID 2296 wrote to memory of 572 2296 Accnekon.exe 42 PID 2296 wrote to memory of 572 2296 Accnekon.exe 42 PID 2296 wrote to memory of 572 2296 Accnekon.exe 42 PID 2296 wrote to memory of 572 2296 Accnekon.exe 42 PID 572 wrote to memory of 1636 572 Aipfmane.exe 43 PID 572 wrote to memory of 1636 572 Aipfmane.exe 43 PID 572 wrote to memory of 1636 572 Aipfmane.exe 43 PID 572 wrote to memory of 1636 572 Aipfmane.exe 43 PID 1636 wrote to memory of 1604 1636 Amkbnp32.exe 44 PID 1636 wrote to memory of 1604 1636 Amkbnp32.exe 44 PID 1636 wrote to memory of 1604 1636 Amkbnp32.exe 44 PID 1636 wrote to memory of 1604 1636 Amkbnp32.exe 44 PID 1604 wrote to memory of 2492 1604 Afdgfelo.exe 45 PID 1604 wrote to memory of 2492 1604 Afdgfelo.exe 45 PID 1604 wrote to memory of 2492 1604 Afdgfelo.exe 45 PID 1604 wrote to memory of 2492 1604 Afdgfelo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af3f61d4880f22efb29e373c2692ae0N.exe"C:\Users\Admin\AppData\Local\Temp\5af3f61d4880f22efb29e373c2692ae0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe33⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe34⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe35⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe36⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe37⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe38⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe39⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe40⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe43⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe44⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe45⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe46⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe48⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe49⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe50⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe53⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe55⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe56⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe57⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe58⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe60⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe61⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe62⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe64⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe65⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe66⤵PID:1260
-
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe67⤵PID:2996
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe68⤵PID:2044
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe70⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe71⤵PID:2724
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe72⤵PID:2684
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe73⤵PID:1812
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe74⤵PID:2040
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe75⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe76⤵PID:1036
-
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe77⤵PID:1772
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe78⤵PID:1640
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe79⤵PID:1704
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe80⤵PID:448
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe82⤵PID:1680
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe83⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe84⤵PID:2060
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe85⤵PID:1820
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe86⤵PID:2020
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe87⤵PID:1564
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe89⤵PID:3048
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe90⤵PID:2944
-
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe91⤵PID:1268
-
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe92⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe93⤵PID:792
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe94⤵PID:2972
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe96⤵PID:272
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe97⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe98⤵PID:1384
-
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe99⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe100⤵PID:2012
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe101⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe102⤵PID:2608
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe103⤵PID:1056
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe104⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe106⤵PID:2796
-
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe107⤵PID:2036
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe108⤵PID:716
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe109⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe110⤵PID:568
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe111⤵PID:1740
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe112⤵PID:1688
-
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe114⤵PID:2776
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe115⤵PID:1140
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe116⤵PID:1164
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe117⤵PID:536
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe118⤵PID:780
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe119⤵PID:1096
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe120⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe121⤵PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-