Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 22:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18be056026af28fb9adc02a81b6aa8a0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
18be056026af28fb9adc02a81b6aa8a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
18be056026af28fb9adc02a81b6aa8a0N.exe
-
Size
100KB
-
MD5
18be056026af28fb9adc02a81b6aa8a0
-
SHA1
777fa12854baf380ee4e48eca6ed6eea9f74aaa0
-
SHA256
5ba500f953f237b937a7d8c7036080f119c60aabf56335e5a9588791ae82f2eb
-
SHA512
ece5b0e8fb805f02c6bbdc47008fa52324b23bb2e14fc1a2ece3778d9d198c583977ceadad32bbe55556d38e1a5c4a29190a83512291314aa8f88d74bf916f88
-
SSDEEP
3072:pORL8vFh1rvO+izAhqo+JHHM/Jqgb3a3+X13XRzT:W8vg+izAUJHyJj7aOl3BzT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhejkcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkiicmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kohnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjpbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micklk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lboiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplkmgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooicid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajlkojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeded32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcjlnpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcqcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdfdbhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemqpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gceailog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amohfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe -
Executes dropped EXE 64 IoCs
pid Process 2464 Eoajel32.exe 1080 Eapfagno.exe 2784 Egmojnlf.exe 2760 Epecbd32.exe 2732 Egokonjc.exe 2608 Epgphcqd.exe 2632 Egahen32.exe 832 Enkpahon.exe 2152 Eolmip32.exe 2868 Fgcejm32.exe 2628 Flqmbd32.exe 1404 Fcjeon32.exe 992 Fbmfkkbm.exe 1632 Fcmben32.exe 2268 Ffkoai32.exe 1796 Fmegncpp.exe 296 Fnfcel32.exe 1168 Fdpkbf32.exe 1660 Fofpoo32.exe 1056 Fbdlkj32.exe 3032 Fgadda32.exe 2308 Gbfiaj32.exe 756 Gcheib32.exe 2140 Ggcaiqhj.exe 1668 Gcjbna32.exe 2484 Gfhnjm32.exe 1588 Gcmoda32.exe 2984 Gghkdp32.exe 2684 Gjfgqk32.exe 2916 Gmecmg32.exe 2576 Gfmgelil.exe 2144 Gildahhp.exe 1524 Gljpncgc.exe 2748 Hfpdkl32.exe 2952 Hinqgg32.exe 2600 Hnkion32.exe 1956 Hfbaql32.exe 2448 Hhcmhdke.exe 1932 Hnmeen32.exe 1636 Halbai32.exe 1552 Hibjbgbh.exe 1516 Hjdfjo32.exe 604 Hbknkl32.exe 664 Hhhgcc32.exe 1372 Hjfcpo32.exe 3004 Hnbopmnm.exe 1504 Hapklimq.exe 2248 Helgmg32.exe 2100 Hdoghdmd.exe 2284 Hfmddp32.exe 2812 Hndlem32.exe 2892 Iabhah32.exe 2816 Idadnd32.exe 3060 Ifoqjo32.exe 3028 Ijklknbn.exe 2932 Iinmfk32.exe 1856 Iaeegh32.exe 1936 Ifampo32.exe 1884 Ijmipn32.exe 1232 Ilofhffj.exe 1732 Ipjahd32.exe 1092 Ibhndp32.exe 2228 Imnbbi32.exe 1652 Ilabmedg.exe -
Loads dropped DLL 64 IoCs
pid Process 2640 18be056026af28fb9adc02a81b6aa8a0N.exe 2640 18be056026af28fb9adc02a81b6aa8a0N.exe 2464 Eoajel32.exe 2464 Eoajel32.exe 1080 Eapfagno.exe 1080 Eapfagno.exe 2784 Egmojnlf.exe 2784 Egmojnlf.exe 2760 Epecbd32.exe 2760 Epecbd32.exe 2732 Egokonjc.exe 2732 Egokonjc.exe 2608 Epgphcqd.exe 2608 Epgphcqd.exe 2632 Egahen32.exe 2632 Egahen32.exe 832 Enkpahon.exe 832 Enkpahon.exe 2152 Eolmip32.exe 2152 Eolmip32.exe 2868 Fgcejm32.exe 2868 Fgcejm32.exe 2628 Flqmbd32.exe 2628 Flqmbd32.exe 1404 Fcjeon32.exe 1404 Fcjeon32.exe 992 Fbmfkkbm.exe 992 Fbmfkkbm.exe 1632 Fcmben32.exe 1632 Fcmben32.exe 2268 Ffkoai32.exe 2268 Ffkoai32.exe 1796 Fmegncpp.exe 1796 Fmegncpp.exe 296 Fnfcel32.exe 296 Fnfcel32.exe 1168 Fdpkbf32.exe 1168 Fdpkbf32.exe 1660 Fofpoo32.exe 1660 Fofpoo32.exe 1056 Fbdlkj32.exe 1056 Fbdlkj32.exe 3032 Fgadda32.exe 3032 Fgadda32.exe 2308 Gbfiaj32.exe 2308 Gbfiaj32.exe 756 Gcheib32.exe 756 Gcheib32.exe 2140 Ggcaiqhj.exe 2140 Ggcaiqhj.exe 1668 Gcjbna32.exe 1668 Gcjbna32.exe 2484 Gfhnjm32.exe 2484 Gfhnjm32.exe 1588 Gcmoda32.exe 1588 Gcmoda32.exe 2984 Gghkdp32.exe 2984 Gghkdp32.exe 2684 Gjfgqk32.exe 2684 Gjfgqk32.exe 2916 Gmecmg32.exe 2916 Gmecmg32.exe 2576 Gfmgelil.exe 2576 Gfmgelil.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iconoi32.dll Hndlem32.exe File opened for modification C:\Windows\SysWOW64\Iinmfk32.exe Ijklknbn.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Aqmamm32.exe Amaelomh.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Pkmlmbcd.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Ikmnfdoq.dll Mgjebg32.exe File created C:\Windows\SysWOW64\Ekomolag.dll Pincfpoo.exe File opened for modification C:\Windows\SysWOW64\Hbaaik32.exe Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Omklkkpl.exe Ojmpooah.exe File created C:\Windows\SysWOW64\Fjegog32.exe Fggkcl32.exe File created C:\Windows\SysWOW64\Idebfofe.dll Fmegncpp.exe File created C:\Windows\SysWOW64\Fdpkbf32.exe Fnfcel32.exe File opened for modification C:\Windows\SysWOW64\Iabhah32.exe Hndlem32.exe File opened for modification C:\Windows\SysWOW64\Khcomhbi.exe Kfebambf.exe File created C:\Windows\SysWOW64\Gloiniaa.dll Ljkaeo32.exe File created C:\Windows\SysWOW64\Plaimk32.exe Pjcmap32.exe File created C:\Windows\SysWOW64\Nbkkmi32.dll Cmhglq32.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dmbcen32.exe File created C:\Windows\SysWOW64\Klqahn32.dll Amohfo32.exe File created C:\Windows\SysWOW64\Hqjpab32.dll Accqnc32.exe File created C:\Windows\SysWOW64\Ihhcbf32.exe Ieigfk32.exe File created C:\Windows\SysWOW64\Dbmiil32.dll Kdefgj32.exe File created C:\Windows\SysWOW64\Kjohojml.dll Necogkbo.exe File created C:\Windows\SysWOW64\Mfmhch32.dll Adfqgl32.exe File created C:\Windows\SysWOW64\Jclcfm32.dll Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Pcghof32.exe Pphkbj32.exe File created C:\Windows\SysWOW64\Qojieb32.dll Eiekpd32.exe File created C:\Windows\SysWOW64\Djgompkk.dll Eklqcl32.exe File opened for modification C:\Windows\SysWOW64\Acfmcc32.exe Allefimb.exe File opened for modification C:\Windows\SysWOW64\Adnpkjde.exe Abpcooea.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Manghajd.dll Qackpado.exe File opened for modification C:\Windows\SysWOW64\Ggkqmoma.exe Giipab32.exe File created C:\Windows\SysWOW64\Nfoghakb.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Giipab32.exe Gqahqd32.exe File opened for modification C:\Windows\SysWOW64\Iimfld32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Nlqmmd32.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Bqeqqk32.exe Bnfddp32.exe File created C:\Windows\SysWOW64\Giackg32.dll Kkeecogo.exe File created C:\Windows\SysWOW64\Dddnjc32.dll Kkjnnn32.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Mjcaimgg.exe Mgedmb32.exe File opened for modification C:\Windows\SysWOW64\Pgbdodnh.exe Pcghof32.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Agpcihcf.exe File opened for modification C:\Windows\SysWOW64\Fgigil32.exe Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Knkgpi32.exe Kgqocoin.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Cfmhdpnc.exe File created C:\Windows\SysWOW64\Nmlkfoig.dll Ofcqcp32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Cbffoabe.exe File created C:\Windows\SysWOW64\Niebgj32.dll Clojhf32.exe File created C:\Windows\SysWOW64\Ciajik32.dll Hhhgcc32.exe File created C:\Windows\SysWOW64\Popeif32.exe Plaimk32.exe File created C:\Windows\SysWOW64\Hofpgamj.dll Iikifegp.exe File created C:\Windows\SysWOW64\Kdpfadlm.exe Knfndjdp.exe File opened for modification C:\Windows\SysWOW64\Ompefj32.exe Oeindm32.exe File created C:\Windows\SysWOW64\Ailhedbj.dll Imnbbi32.exe File created C:\Windows\SysWOW64\Fejhndnn.dll Bnihdemo.exe File opened for modification C:\Windows\SysWOW64\Lcjlnpmo.exe Lonpma32.exe File created C:\Windows\SysWOW64\Idgglb32.exe Iahkpg32.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Jaoqqflp.exe File opened for modification C:\Windows\SysWOW64\Nnkcpq32.exe Njpgpbpf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6380 6332 WerFault.exe 663 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkhdddo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcomhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhemhpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcghof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpfadlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapklimq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoqjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobbofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beackp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlphbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gildahhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifampo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmljgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfcnegnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabkgh32.dll" Gcheib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbknkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mgedmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epgphcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbaepf32.dll" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkkmi32.dll" Cmhglq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhglq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlfgcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfdfdee.dll" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbfik32.dll" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" Bchfhfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhjphfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljkaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cnmfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilabmedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfphcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdnild32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodahqi.dll" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekomolag.dll" Pincfpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbfiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcheib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nabopjmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohagbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijbkbjk.dll" Hahnac32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2464 2640 18be056026af28fb9adc02a81b6aa8a0N.exe 30 PID 2640 wrote to memory of 2464 2640 18be056026af28fb9adc02a81b6aa8a0N.exe 30 PID 2640 wrote to memory of 2464 2640 18be056026af28fb9adc02a81b6aa8a0N.exe 30 PID 2640 wrote to memory of 2464 2640 18be056026af28fb9adc02a81b6aa8a0N.exe 30 PID 2464 wrote to memory of 1080 2464 Eoajel32.exe 31 PID 2464 wrote to memory of 1080 2464 Eoajel32.exe 31 PID 2464 wrote to memory of 1080 2464 Eoajel32.exe 31 PID 2464 wrote to memory of 1080 2464 Eoajel32.exe 31 PID 1080 wrote to memory of 2784 1080 Eapfagno.exe 32 PID 1080 wrote to memory of 2784 1080 Eapfagno.exe 32 PID 1080 wrote to memory of 2784 1080 Eapfagno.exe 32 PID 1080 wrote to memory of 2784 1080 Eapfagno.exe 32 PID 2784 wrote to memory of 2760 2784 Egmojnlf.exe 33 PID 2784 wrote to memory of 2760 2784 Egmojnlf.exe 33 PID 2784 wrote to memory of 2760 2784 Egmojnlf.exe 33 PID 2784 wrote to memory of 2760 2784 Egmojnlf.exe 33 PID 2760 wrote to memory of 2732 2760 Epecbd32.exe 34 PID 2760 wrote to memory of 2732 2760 Epecbd32.exe 34 PID 2760 wrote to memory of 2732 2760 Epecbd32.exe 34 PID 2760 wrote to memory of 2732 2760 Epecbd32.exe 34 PID 2732 wrote to memory of 2608 2732 Egokonjc.exe 35 PID 2732 wrote to memory of 2608 2732 Egokonjc.exe 35 PID 2732 wrote to memory of 2608 2732 Egokonjc.exe 35 PID 2732 wrote to memory of 2608 2732 Egokonjc.exe 35 PID 2608 wrote to memory of 2632 2608 Epgphcqd.exe 36 PID 2608 wrote to memory of 2632 2608 Epgphcqd.exe 36 PID 2608 wrote to memory of 2632 2608 Epgphcqd.exe 36 PID 2608 wrote to memory of 2632 2608 Epgphcqd.exe 36 PID 2632 wrote to memory of 832 2632 Egahen32.exe 37 PID 2632 wrote to memory of 832 2632 Egahen32.exe 37 PID 2632 wrote to memory of 832 2632 Egahen32.exe 37 PID 2632 wrote to memory of 832 2632 Egahen32.exe 37 PID 832 wrote to memory of 2152 832 Enkpahon.exe 38 PID 832 wrote to memory of 2152 832 Enkpahon.exe 38 PID 832 wrote to memory of 2152 832 Enkpahon.exe 38 PID 832 wrote to memory of 2152 832 Enkpahon.exe 38 PID 2152 wrote to memory of 2868 2152 Eolmip32.exe 39 PID 2152 wrote to memory of 2868 2152 Eolmip32.exe 39 PID 2152 wrote to memory of 2868 2152 Eolmip32.exe 39 PID 2152 wrote to memory of 2868 2152 Eolmip32.exe 39 PID 2868 wrote to memory of 2628 2868 Fgcejm32.exe 40 PID 2868 wrote to memory of 2628 2868 Fgcejm32.exe 40 PID 2868 wrote to memory of 2628 2868 Fgcejm32.exe 40 PID 2868 wrote to memory of 2628 2868 Fgcejm32.exe 40 PID 2628 wrote to memory of 1404 2628 Flqmbd32.exe 41 PID 2628 wrote to memory of 1404 2628 Flqmbd32.exe 41 PID 2628 wrote to memory of 1404 2628 Flqmbd32.exe 41 PID 2628 wrote to memory of 1404 2628 Flqmbd32.exe 41 PID 1404 wrote to memory of 992 1404 Fcjeon32.exe 42 PID 1404 wrote to memory of 992 1404 Fcjeon32.exe 42 PID 1404 wrote to memory of 992 1404 Fcjeon32.exe 42 PID 1404 wrote to memory of 992 1404 Fcjeon32.exe 42 PID 992 wrote to memory of 1632 992 Fbmfkkbm.exe 43 PID 992 wrote to memory of 1632 992 Fbmfkkbm.exe 43 PID 992 wrote to memory of 1632 992 Fbmfkkbm.exe 43 PID 992 wrote to memory of 1632 992 Fbmfkkbm.exe 43 PID 1632 wrote to memory of 2268 1632 Fcmben32.exe 44 PID 1632 wrote to memory of 2268 1632 Fcmben32.exe 44 PID 1632 wrote to memory of 2268 1632 Fcmben32.exe 44 PID 1632 wrote to memory of 2268 1632 Fcmben32.exe 44 PID 2268 wrote to memory of 1796 2268 Ffkoai32.exe 45 PID 2268 wrote to memory of 1796 2268 Ffkoai32.exe 45 PID 2268 wrote to memory of 1796 2268 Ffkoai32.exe 45 PID 2268 wrote to memory of 1796 2268 Ffkoai32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\18be056026af28fb9adc02a81b6aa8a0N.exe"C:\Users\Admin\AppData\Local\Temp\18be056026af28fb9adc02a81b6aa8a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe34⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe36⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe39⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe40⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe41⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe42⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe43⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe46⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe49⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe50⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe51⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe54⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe57⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe58⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe60⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe61⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe62⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe63⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe66⤵PID:2016
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe67⤵PID:1572
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe69⤵PID:2664
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe70⤵PID:2740
-
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe72⤵PID:2560
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe73⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe74⤵PID:2940
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe75⤵PID:1136
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe76⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe77⤵PID:316
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe78⤵PID:2988
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe79⤵PID:268
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe80⤵PID:1924
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe81⤵PID:1804
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe82⤵PID:3012
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe83⤵PID:3008
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe84⤵PID:2652
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe85⤵PID:2392
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe86⤵PID:2956
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe88⤵PID:1792
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe89⤵PID:2928
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe92⤵PID:2520
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe93⤵PID:2408
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe94⤵PID:828
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe95⤵PID:2288
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe96⤵PID:800
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe97⤵PID:2032
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe98⤵PID:2116
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe99⤵PID:2776
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe100⤵
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe101⤵PID:1892
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe102⤵PID:2624
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe103⤵PID:2872
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe105⤵PID:264
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe106⤵PID:1432
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe107⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe108⤵PID:600
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe110⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe112⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe113⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe114⤵PID:2548
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe115⤵PID:2524
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe116⤵
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe117⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe118⤵PID:1764
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe119⤵PID:2468
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe120⤵PID:2104
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-