Analysis
-
max time kernel
117s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 21:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34beeaddd2532a8d6e4b5150455dee30N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
34beeaddd2532a8d6e4b5150455dee30N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
34beeaddd2532a8d6e4b5150455dee30N.exe
-
Size
96KB
-
MD5
34beeaddd2532a8d6e4b5150455dee30
-
SHA1
85b8b4d430abd1bff99b41575b302c18a47ff5ed
-
SHA256
59ccb1c670b06b0a89356dd4d2ab27d4a49f6a798ebb16ddc1d7ca19db287393
-
SHA512
9b2758cabd9f5a58eb44180268bf04a892870836b4cb715fd2644230c0074fd0da346677c1c243f8389664b0a4282331bda6c5ae42a9e40f3ab07ad8018d5a46
-
SSDEEP
1536:ebJhNNL6gWPef4SSSuCx4qP2L67RZObZUUWaegPYA:4F4SSSuCx/U6ClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmcni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpedghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmlpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcljlea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakqoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecohl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agilkijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glongpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieflec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljolodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpagbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chickknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlghhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcnbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjmkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njipabhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlabjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikpgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkngbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iglkoaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkconepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Looahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdakoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqlbnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkekfkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbccklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boainhic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmiea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjkdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epakcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpblne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmklico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmeojbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgomoboc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognobcqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhjcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdpaqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falakjag.exe -
Executes dropped EXE 64 IoCs
pid Process 1980 Cedbmi32.exe 2756 Dibjcg32.exe 2996 Didgig32.exe 2768 Dhjdjc32.exe 2848 Dabicikf.exe 2084 Dofilm32.exe 1928 Ddcadd32.exe 1676 Egdjfo32.exe 1836 Ecjkkp32.exe 2016 Eigpmjqg.exe 2620 Ecodfogg.exe 2356 Fadagl32.exe 1052 Fdekigip.exe 2288 Fgfckbfa.exe 2348 Fakhhk32.exe 2324 Fcoaebjc.exe 696 Gjiibm32.exe 436 Gofajcog.exe 2608 Gohnpcmd.exe 1476 Gojkecka.exe 1592 Gkaljdaf.exe 956 Gielchpp.exe 2088 Hbnqln32.exe 1080 Hqbnnj32.exe 1092 Hjkbfpah.exe 2108 Haggijgb.exe 1616 Hfdpaqej.exe 3064 Ilceog32.exe 2904 Ifiilp32.exe 2080 Ipcjje32.exe 2924 Ihooog32.exe 2704 Iecohl32.exe 656 Ieelnkpd.exe 2452 Jalmcl32.exe 2140 Jbpfpd32.exe 1988 Jlhjijpe.exe 1412 Jilkbn32.exe 2956 Jpfcohfk.exe 1368 Kphpdhdh.exe 2156 Kegebn32.exe 2072 Kdakoj32.exe 2060 Ljndga32.exe 1944 Llomhllh.exe 2528 Lpmeojbo.exe 1756 Ljejgp32.exe 1844 Lobbpg32.exe 792 Lkhcdhmk.exe 1352 Mfngbq32.exe 2304 Mgodjico.exe 1428 Mbehgabe.exe 2252 Mhopcl32.exe 1560 Mjpmkdpp.exe 2884 Mdeaim32.exe 2784 Mqlbnnej.exe 2332 Mjeffc32.exe 2668 Mmcbbo32.exe 2724 Mgigpgkd.exe 2476 Nijcgp32.exe 1660 Ncpgeh32.exe 1744 Njipabhe.exe 1752 Npfhjifm.exe 2844 Niombolm.exe 2500 Nnkekfkd.exe 1044 Nloedjin.exe -
Loads dropped DLL 64 IoCs
pid Process 3056 34beeaddd2532a8d6e4b5150455dee30N.exe 3056 34beeaddd2532a8d6e4b5150455dee30N.exe 1980 Cedbmi32.exe 1980 Cedbmi32.exe 2756 Dibjcg32.exe 2756 Dibjcg32.exe 2996 Didgig32.exe 2996 Didgig32.exe 2768 Dhjdjc32.exe 2768 Dhjdjc32.exe 2848 Dabicikf.exe 2848 Dabicikf.exe 2084 Dofilm32.exe 2084 Dofilm32.exe 1928 Ddcadd32.exe 1928 Ddcadd32.exe 1676 Egdjfo32.exe 1676 Egdjfo32.exe 1836 Ecjkkp32.exe 1836 Ecjkkp32.exe 2016 Eigpmjqg.exe 2016 Eigpmjqg.exe 2620 Ecodfogg.exe 2620 Ecodfogg.exe 2356 Fadagl32.exe 2356 Fadagl32.exe 1052 Fdekigip.exe 1052 Fdekigip.exe 2288 Fgfckbfa.exe 2288 Fgfckbfa.exe 2348 Fakhhk32.exe 2348 Fakhhk32.exe 2324 Fcoaebjc.exe 2324 Fcoaebjc.exe 696 Gjiibm32.exe 696 Gjiibm32.exe 436 Gofajcog.exe 436 Gofajcog.exe 2608 Gohnpcmd.exe 2608 Gohnpcmd.exe 1476 Gojkecka.exe 1476 Gojkecka.exe 1592 Gkaljdaf.exe 1592 Gkaljdaf.exe 956 Gielchpp.exe 956 Gielchpp.exe 2088 Hbnqln32.exe 2088 Hbnqln32.exe 1080 Hqbnnj32.exe 1080 Hqbnnj32.exe 1092 Hjkbfpah.exe 1092 Hjkbfpah.exe 2108 Haggijgb.exe 2108 Haggijgb.exe 1616 Hfdpaqej.exe 1616 Hfdpaqej.exe 3064 Ilceog32.exe 3064 Ilceog32.exe 2904 Ifiilp32.exe 2904 Ifiilp32.exe 2080 Ipcjje32.exe 2080 Ipcjje32.exe 2924 Ihooog32.exe 2924 Ihooog32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ahgdbk32.exe Qbkljd32.exe File created C:\Windows\SysWOW64\Dkolblkk.exe Cccgni32.exe File created C:\Windows\SysWOW64\Enqgpadi.dll Figoefkf.exe File opened for modification C:\Windows\SysWOW64\Jmcpqfba.exe Jgfghodj.exe File opened for modification C:\Windows\SysWOW64\Qibhao32.exe Qomcdf32.exe File opened for modification C:\Windows\SysWOW64\Jjhgdqef.exe Jekoljgo.exe File created C:\Windows\SysWOW64\Lkccob32.exe Ldikbhfh.exe File created C:\Windows\SysWOW64\Lbgkhoml.exe Linfpi32.exe File created C:\Windows\SysWOW64\Appfggjm.exe Qfganb32.exe File created C:\Windows\SysWOW64\Phklcn32.exe Pobgjhgh.exe File opened for modification C:\Windows\SysWOW64\Pahjgb32.exe Pgbejj32.exe File created C:\Windows\SysWOW64\Cfjdfg32.exe Ccileljk.exe File opened for modification C:\Windows\SysWOW64\Pembpkfi.exe Pfgeoo32.exe File created C:\Windows\SysWOW64\Ffccjk32.dll Kiifjd32.exe File created C:\Windows\SysWOW64\Ljejgp32.exe Lpmeojbo.exe File opened for modification C:\Windows\SysWOW64\Bbolge32.exe Bhfhnofg.exe File opened for modification C:\Windows\SysWOW64\Kfcadq32.exe Jafilj32.exe File created C:\Windows\SysWOW64\Icbjjdmb.dll Gmhmdc32.exe File opened for modification C:\Windows\SysWOW64\Ibmhjc32.exe Ibklddof.exe File opened for modification C:\Windows\SysWOW64\Ljejgp32.exe Lpmeojbo.exe File created C:\Windows\SysWOW64\Nbpoboge.dll Qggoeilh.exe File created C:\Windows\SysWOW64\Ficilgai.exe Falakjag.exe File created C:\Windows\SysWOW64\Epjlaj32.dll Emieflec.exe File opened for modification C:\Windows\SysWOW64\Omjeba32.exe Opfdim32.exe File opened for modification C:\Windows\SysWOW64\Jbgbjh32.exe Ibeeeijg.exe File opened for modification C:\Windows\SysWOW64\Jgfghodj.exe Jjbgok32.exe File created C:\Windows\SysWOW64\Ihooog32.exe Ipcjje32.exe File created C:\Windows\SysWOW64\Hgbhibio.exe Hbepplkh.exe File created C:\Windows\SysWOW64\Qibhao32.exe Qomcdf32.exe File created C:\Windows\SysWOW64\Ickoimie.exe Ifgooikk.exe File created C:\Windows\SysWOW64\Jmcpqfba.exe Jgfghodj.exe File opened for modification C:\Windows\SysWOW64\Hbnqln32.exe Gielchpp.exe File created C:\Windows\SysWOW64\Jngdfa32.dll Ebhjdc32.exe File opened for modification C:\Windows\SysWOW64\Hbepplkh.exe Hdapggln.exe File created C:\Windows\SysWOW64\Hnkbglmp.dll Kfenjq32.exe File created C:\Windows\SysWOW64\Iflhjh32.exe Ikfdmogp.exe File opened for modification C:\Windows\SysWOW64\Mfngbq32.exe Lkhcdhmk.exe File created C:\Windows\SysWOW64\Hbccklmj.exe Hmfkbeoc.exe File created C:\Windows\SysWOW64\Idkkjpdd.dll Bfkakbpp.exe File created C:\Windows\SysWOW64\Ajkmmb32.dll Dkolblkk.exe File created C:\Windows\SysWOW64\Kkmenq32.dll Bdmklico.exe File created C:\Windows\SysWOW64\Dddmkkpb.exe Djoinbpm.exe File created C:\Windows\SysWOW64\Lihkjgpf.dll Jiiikq32.exe File opened for modification C:\Windows\SysWOW64\Kfccmini.exe Kmkodd32.exe File created C:\Windows\SysWOW64\Apapcnaf.exe Agilkijf.exe File created C:\Windows\SysWOW64\Ibeeeijg.exe Ingmoj32.exe File created C:\Windows\SysWOW64\Mjcljlea.exe Mhaobd32.exe File created C:\Windows\SysWOW64\Aifiogon.dll Akejdp32.exe File opened for modification C:\Windows\SysWOW64\Dghjmlnm.exe Dnpedghl.exe File created C:\Windows\SysWOW64\Anbicp32.dll Jmhpfl32.exe File created C:\Windows\SysWOW64\Eagenl32.dll Kmkodd32.exe File created C:\Windows\SysWOW64\Kbmahjbk.exe Kffpcilf.exe File created C:\Windows\SysWOW64\Dldldj32.dll Lakqoe32.exe File created C:\Windows\SysWOW64\Aoijjjcl.exe Ajlabc32.exe File created C:\Windows\SysWOW64\Bdknfiea.exe Blpibghg.exe File opened for modification C:\Windows\SysWOW64\Jepjpajn.exe Jjjfbikh.exe File created C:\Windows\SysWOW64\Gklkdn32.exe Gacgli32.exe File created C:\Windows\SysWOW64\Bcbedm32.exe Bjjakg32.exe File opened for modification C:\Windows\SysWOW64\Ahlnmjkf.exe Aodjdede.exe File created C:\Windows\SysWOW64\Ilaikehi.dll Nncaejie.exe File created C:\Windows\SysWOW64\Nkekebio.dll Gojkecka.exe File opened for modification C:\Windows\SysWOW64\Falakjag.exe Fpkdca32.exe File created C:\Windows\SysWOW64\Kplfmfmf.exe Kfcadq32.exe File created C:\Windows\SysWOW64\Jnkpaedi.dll Bkhjcing.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4188 4156 WerFault.exe 457 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gielchpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadmenpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdnffpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpagbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkdoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmlmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkdca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjpmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhkngcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophcpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpmhgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfcgbge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjqdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkbfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoijjjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmlpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaljdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecohl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibigjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipimic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmfpnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qomcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34beeaddd2532a8d6e4b5150455dee30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibbqmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pembpkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enagnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noighakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqknqleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idnako32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljndga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcbib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emceag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmgoehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foidii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbgok32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfjkcad.dll" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpbpn32.dll" Lophcpam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjijo32.dll" Kaaeegkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnnbm32.dll" Peolmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbljdjk.dll" Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkopgd32.dll" Cjifpdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbgen32.dll" Giikkehc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cblniaii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnknmgo.dll" Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcoaebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjpcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhjcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdekjmob.dll" Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiopjgdl.dll" Gifhkpgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apapcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipecndab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgglmgeb.dll" Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkain32.dll" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcljlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpbecig.dll" Cnekcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihooog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabdbh32.dll" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnpmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqmkflcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llomhllh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabfoqib.dll" Cccgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emoghm32.dll" Hjkdoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbccklmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgodjico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifloeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogalfbhd.dll" Gielchpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ingmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigmoadp.dll" Eeicenni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpkckneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppmkilbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjqglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiifjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckgmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jelbdp32.dll" Meafpibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peolmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emilqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfghodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahgejhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdgkkppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhbolin.dll" Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdgab32.dll" Lhpmhgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljndga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpkfa32.dll" Linfpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfknjfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjfae32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1980 3056 34beeaddd2532a8d6e4b5150455dee30N.exe 29 PID 3056 wrote to memory of 1980 3056 34beeaddd2532a8d6e4b5150455dee30N.exe 29 PID 3056 wrote to memory of 1980 3056 34beeaddd2532a8d6e4b5150455dee30N.exe 29 PID 3056 wrote to memory of 1980 3056 34beeaddd2532a8d6e4b5150455dee30N.exe 29 PID 1980 wrote to memory of 2756 1980 Cedbmi32.exe 30 PID 1980 wrote to memory of 2756 1980 Cedbmi32.exe 30 PID 1980 wrote to memory of 2756 1980 Cedbmi32.exe 30 PID 1980 wrote to memory of 2756 1980 Cedbmi32.exe 30 PID 2756 wrote to memory of 2996 2756 Dibjcg32.exe 31 PID 2756 wrote to memory of 2996 2756 Dibjcg32.exe 31 PID 2756 wrote to memory of 2996 2756 Dibjcg32.exe 31 PID 2756 wrote to memory of 2996 2756 Dibjcg32.exe 31 PID 2996 wrote to memory of 2768 2996 Didgig32.exe 32 PID 2996 wrote to memory of 2768 2996 Didgig32.exe 32 PID 2996 wrote to memory of 2768 2996 Didgig32.exe 32 PID 2996 wrote to memory of 2768 2996 Didgig32.exe 32 PID 2768 wrote to memory of 2848 2768 Dhjdjc32.exe 33 PID 2768 wrote to memory of 2848 2768 Dhjdjc32.exe 33 PID 2768 wrote to memory of 2848 2768 Dhjdjc32.exe 33 PID 2768 wrote to memory of 2848 2768 Dhjdjc32.exe 33 PID 2848 wrote to memory of 2084 2848 Dabicikf.exe 34 PID 2848 wrote to memory of 2084 2848 Dabicikf.exe 34 PID 2848 wrote to memory of 2084 2848 Dabicikf.exe 34 PID 2848 wrote to memory of 2084 2848 Dabicikf.exe 34 PID 2084 wrote to memory of 1928 2084 Dofilm32.exe 35 PID 2084 wrote to memory of 1928 2084 Dofilm32.exe 35 PID 2084 wrote to memory of 1928 2084 Dofilm32.exe 35 PID 2084 wrote to memory of 1928 2084 Dofilm32.exe 35 PID 1928 wrote to memory of 1676 1928 Ddcadd32.exe 36 PID 1928 wrote to memory of 1676 1928 Ddcadd32.exe 36 PID 1928 wrote to memory of 1676 1928 Ddcadd32.exe 36 PID 1928 wrote to memory of 1676 1928 Ddcadd32.exe 36 PID 1676 wrote to memory of 1836 1676 Egdjfo32.exe 37 PID 1676 wrote to memory of 1836 1676 Egdjfo32.exe 37 PID 1676 wrote to memory of 1836 1676 Egdjfo32.exe 37 PID 1676 wrote to memory of 1836 1676 Egdjfo32.exe 37 PID 1836 wrote to memory of 2016 1836 Ecjkkp32.exe 38 PID 1836 wrote to memory of 2016 1836 Ecjkkp32.exe 38 PID 1836 wrote to memory of 2016 1836 Ecjkkp32.exe 38 PID 1836 wrote to memory of 2016 1836 Ecjkkp32.exe 38 PID 2016 wrote to memory of 2620 2016 Eigpmjqg.exe 39 PID 2016 wrote to memory of 2620 2016 Eigpmjqg.exe 39 PID 2016 wrote to memory of 2620 2016 Eigpmjqg.exe 39 PID 2016 wrote to memory of 2620 2016 Eigpmjqg.exe 39 PID 2620 wrote to memory of 2356 2620 Ecodfogg.exe 40 PID 2620 wrote to memory of 2356 2620 Ecodfogg.exe 40 PID 2620 wrote to memory of 2356 2620 Ecodfogg.exe 40 PID 2620 wrote to memory of 2356 2620 Ecodfogg.exe 40 PID 2356 wrote to memory of 1052 2356 Fadagl32.exe 41 PID 2356 wrote to memory of 1052 2356 Fadagl32.exe 41 PID 2356 wrote to memory of 1052 2356 Fadagl32.exe 41 PID 2356 wrote to memory of 1052 2356 Fadagl32.exe 41 PID 1052 wrote to memory of 2288 1052 Fdekigip.exe 42 PID 1052 wrote to memory of 2288 1052 Fdekigip.exe 42 PID 1052 wrote to memory of 2288 1052 Fdekigip.exe 42 PID 1052 wrote to memory of 2288 1052 Fdekigip.exe 42 PID 2288 wrote to memory of 2348 2288 Fgfckbfa.exe 43 PID 2288 wrote to memory of 2348 2288 Fgfckbfa.exe 43 PID 2288 wrote to memory of 2348 2288 Fgfckbfa.exe 43 PID 2288 wrote to memory of 2348 2288 Fgfckbfa.exe 43 PID 2348 wrote to memory of 2324 2348 Fakhhk32.exe 44 PID 2348 wrote to memory of 2324 2348 Fakhhk32.exe 44 PID 2348 wrote to memory of 2324 2348 Fakhhk32.exe 44 PID 2348 wrote to memory of 2324 2348 Fakhhk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\34beeaddd2532a8d6e4b5150455dee30N.exe"C:\Users\Admin\AppData\Local\Temp\34beeaddd2532a8d6e4b5150455dee30N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Egdjfo32.exeC:\Windows\system32\Egdjfo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe37⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jilkbn32.exeC:\Windows\system32\Jilkbn32.exe38⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe40⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe47⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe49⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe51⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe52⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe53⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe54⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe56⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe57⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe58⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe60⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe62⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe63⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe65⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe66⤵PID:1104
-
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe68⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe70⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe71⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe72⤵PID:488
-
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe73⤵PID:2052
-
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe74⤵PID:2900
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe76⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe77⤵PID:2184
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe78⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe79⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe80⤵
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe81⤵PID:3016
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe82⤵PID:3024
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe83⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe84⤵PID:2280
-
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe85⤵PID:2220
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe86⤵PID:1308
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe87⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe88⤵PID:2384
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe90⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe92⤵PID:1076
-
C:\Windows\SysWOW64\Ajlabc32.exeC:\Windows\system32\Ajlabc32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe94⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe95⤵PID:936
-
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe96⤵PID:2952
-
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe98⤵PID:2056
-
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe99⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe100⤵PID:2028
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe103⤵PID:2780
-
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe104⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Bqhbcqmj.exeC:\Windows\system32\Bqhbcqmj.exe105⤵PID:2820
-
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe106⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe107⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe108⤵PID:2112
-
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe109⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe110⤵PID:1144
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe111⤵PID:2124
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe112⤵PID:3000
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe113⤵PID:1580
-
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe114⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe115⤵PID:2744
-
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe117⤵PID:2632
-
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe118⤵PID:1448
-
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe121⤵PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-