Analysis
-
max time kernel
112s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 11:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e1043136c714afb7cb2bf11069e1970N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1e1043136c714afb7cb2bf11069e1970N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1e1043136c714afb7cb2bf11069e1970N.exe
-
Size
181KB
-
MD5
1e1043136c714afb7cb2bf11069e1970
-
SHA1
5e727018b7234f7ff10b6e3b7fb282bbc3c11dcf
-
SHA256
40e3f57d7adeaf726779d2b89e35670309f5b39635fb5392cc6bf9ac6d069f01
-
SHA512
ff0861cb928e5d8db202c7beaeeb9eed6c2b274642acbf0c87f98ecd649f59273f8f88d47cec322e1e3182922e059f9171d79bc59e3180c4fa9fd994a105e95d
-
SSDEEP
3072:MRYwc1jFDrFDHZtOgK0Bh6mmNOYSMrbwDrFDHZtOg:Mm5j5tT7B9mo43I5tT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlapaapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbjbnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohphgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agfikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiflpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeall32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndoifdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhgcgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjlmjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjilde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neekogkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkplgoop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfjcdln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllpflng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajibckpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiplffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoakckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimbql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcepgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgcaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elejqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leqeed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abeghmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgaknbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfihml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndhddaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkkblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giejkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnnhcknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfhddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndoelpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhopfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johaalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iainddpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgqcj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2596 Qfhddn32.exe 2804 Qgiplffm.exe 2920 Aiimfi32.exe 1932 Aepnkjcd.exe 2684 Agnjge32.exe 2676 Aebjaj32.exe 2188 Agqfme32.exe 2968 Agccbenc.exe 2172 Ajapoqmf.exe 2948 Abldccka.exe 292 Aiflpm32.exe 1608 Bclqme32.exe 1436 Bfjmia32.exe 1108 Bbannb32.exe 2324 Bikfklni.exe 1924 Bbcjca32.exe 448 Bimbql32.exe 1616 Bllomg32.exe 708 Bbfgiabg.exe 2192 Bdgcaj32.exe 1300 Blnkbg32.exe 1784 Befpkmph.exe 1752 Bdipfi32.exe 2228 Ckchcc32.exe 1912 Cmaeoo32.exe 2296 Cppakj32.exe 2180 Cfjihdcc.exe 2060 Cihedpcg.exe 2836 Cbajme32.exe 2688 Cmfnjnin.exe 2672 Clinfk32.exe 2248 Cdqfgh32.exe 3000 Ceacoqfi.exe 2056 Ccecheeb.exe 1100 Cedpdpdf.exe 1852 Chblqlcj.exe 644 Cpidai32.exe 2844 Dibhjokm.exe 1612 Dkcebg32.exe 2084 Deiipp32.exe 2600 Dndndbnl.exe 1948 Dekeeonn.exe 2484 Dglbmg32.exe 940 Docjne32.exe 1520 Dabfjp32.exe 1144 Dpdfemkm.exe 596 Dhlogjko.exe 400 Dgoobg32.exe 1576 Dadcppbp.exe 2164 Dcepgh32.exe 2784 Dkmghe32.exe 2820 Enkdda32.exe 2664 Epipql32.exe 2828 Egchmfnd.exe 956 Effhic32.exe 2700 Elpqemll.exe 1028 Eplmflde.exe 1140 Egeecf32.exe 1332 Ejdaoa32.exe 2284 Ehgaknbp.exe 1092 Eqnillbb.exe 2184 Eoajgh32.exe 2344 Efkbdbai.exe 2116 Ehinpnpm.exe -
Loads dropped DLL 64 IoCs
pid Process 2908 1e1043136c714afb7cb2bf11069e1970N.exe 2908 1e1043136c714afb7cb2bf11069e1970N.exe 2596 Qfhddn32.exe 2596 Qfhddn32.exe 2804 Qgiplffm.exe 2804 Qgiplffm.exe 2920 Aiimfi32.exe 2920 Aiimfi32.exe 1932 Aepnkjcd.exe 1932 Aepnkjcd.exe 2684 Agnjge32.exe 2684 Agnjge32.exe 2676 Aebjaj32.exe 2676 Aebjaj32.exe 2188 Agqfme32.exe 2188 Agqfme32.exe 2968 Agccbenc.exe 2968 Agccbenc.exe 2172 Ajapoqmf.exe 2172 Ajapoqmf.exe 2948 Abldccka.exe 2948 Abldccka.exe 292 Aiflpm32.exe 292 Aiflpm32.exe 1608 Bclqme32.exe 1608 Bclqme32.exe 1436 Bfjmia32.exe 1436 Bfjmia32.exe 1108 Bbannb32.exe 1108 Bbannb32.exe 2324 Bikfklni.exe 2324 Bikfklni.exe 1924 Bbcjca32.exe 1924 Bbcjca32.exe 448 Bimbql32.exe 448 Bimbql32.exe 1616 Bllomg32.exe 1616 Bllomg32.exe 708 Bbfgiabg.exe 708 Bbfgiabg.exe 2192 Bdgcaj32.exe 2192 Bdgcaj32.exe 1300 Blnkbg32.exe 1300 Blnkbg32.exe 1784 Befpkmph.exe 1784 Befpkmph.exe 1752 Bdipfi32.exe 1752 Bdipfi32.exe 2228 Ckchcc32.exe 2228 Ckchcc32.exe 1912 Cmaeoo32.exe 1912 Cmaeoo32.exe 2296 Cppakj32.exe 2296 Cppakj32.exe 2180 Cfjihdcc.exe 2180 Cfjihdcc.exe 2060 Cihedpcg.exe 2060 Cihedpcg.exe 2836 Cbajme32.exe 2836 Cbajme32.exe 2688 Cmfnjnin.exe 2688 Cmfnjnin.exe 2672 Clinfk32.exe 2672 Clinfk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gdnkkmej.exe Gbmoceol.exe File opened for modification C:\Windows\SysWOW64\Ileoknhh.exe Ihjcko32.exe File created C:\Windows\SysWOW64\Bmenijcd.exe Bnbnnm32.exe File created C:\Windows\SysWOW64\Elejqm32.exe Ehinpnpm.exe File opened for modification C:\Windows\SysWOW64\Idcqep32.exe Ibadnhmb.exe File opened for modification C:\Windows\SysWOW64\Lkfdfo32.exe Lighjd32.exe File created C:\Windows\SysWOW64\Odanqb32.exe Oacbdg32.exe File created C:\Windows\SysWOW64\Olfclj32.dll Bghfacem.exe File created C:\Windows\SysWOW64\Gbheif32.exe Gpjilj32.exe File created C:\Windows\SysWOW64\Ccembbcj.dll Jjilde32.exe File opened for modification C:\Windows\SysWOW64\Kheofahm.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Nbdbml32.exe Npffaq32.exe File created C:\Windows\SysWOW64\Aioodg32.exe Aeccdila.exe File opened for modification C:\Windows\SysWOW64\Jjilde32.exe Jcocgkbp.exe File created C:\Windows\SysWOW64\Lkcgapjl.exe Liekddkh.exe File created C:\Windows\SysWOW64\Cbloen32.dll Bllomg32.exe File created C:\Windows\SysWOW64\Dapchl32.dll Jhniebne.exe File created C:\Windows\SysWOW64\Qfljmmjl.exe Qcmnaaji.exe File created C:\Windows\SysWOW64\Cpidai32.exe Chblqlcj.exe File created C:\Windows\SysWOW64\Iimfjoho.dll Dekeeonn.exe File created C:\Windows\SysWOW64\Fqnfkoen.exe Fjdnne32.exe File opened for modification C:\Windows\SysWOW64\Giejkp32.exe Gbkaneao.exe File opened for modification C:\Windows\SysWOW64\Hadhjaaa.exe Hnflnfbm.exe File created C:\Windows\SysWOW64\Kjihci32.exe Khglkqfj.exe File created C:\Windows\SysWOW64\Hddpfjgq.dll Nbdbml32.exe File created C:\Windows\SysWOW64\Cmfnjnin.exe Cbajme32.exe File created C:\Windows\SysWOW64\Plffkc32.exe Pdonjf32.exe File created C:\Windows\SysWOW64\Ehgaknbp.exe Ejdaoa32.exe File created C:\Windows\SysWOW64\Pnnbagpd.dll Fqkieogp.exe File created C:\Windows\SysWOW64\Fgjkmijh.exe Fpcblkje.exe File opened for modification C:\Windows\SysWOW64\Khglkqfj.exe Kqqdjceh.exe File opened for modification C:\Windows\SysWOW64\Kbppdfmk.exe Kjihci32.exe File opened for modification C:\Windows\SysWOW64\Pkmobp32.exe Pqhkdg32.exe File created C:\Windows\SysWOW64\Gkldbf32.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Jhenggfi.dll Mmpcdfem.exe File created C:\Windows\SysWOW64\Nbfobllj.exe Nokcbm32.exe File created C:\Windows\SysWOW64\Ogmngn32.exe Odoakckp.exe File created C:\Windows\SysWOW64\Pobeao32.exe Pkfiaqgk.exe File created C:\Windows\SysWOW64\Kekjepjd.dll Dcepgh32.exe File created C:\Windows\SysWOW64\Aikjmm32.dll Cfjihdcc.exe File opened for modification C:\Windows\SysWOW64\Lomglo32.exe Lqjfpbmm.exe File opened for modification C:\Windows\SysWOW64\Bclqme32.exe Aiflpm32.exe File created C:\Windows\SysWOW64\Jjmoge32.dll Iljifm32.exe File opened for modification C:\Windows\SysWOW64\Mmpcdfem.exe Mjbghkfi.exe File opened for modification C:\Windows\SysWOW64\Enkdda32.exe Dkmghe32.exe File opened for modification C:\Windows\SysWOW64\Piemih32.exe Panehkaj.exe File opened for modification C:\Windows\SysWOW64\Dgoobg32.exe Dhlogjko.exe File created C:\Windows\SysWOW64\Hadhjaaa.exe Hnflnfbm.exe File created C:\Windows\SysWOW64\Malpee32.exe Mmpcdfem.exe File created C:\Windows\SysWOW64\Apcmlcin.dll Mlhmkbhb.exe File opened for modification C:\Windows\SysWOW64\Odoakckp.exe Oaqeogll.exe File opened for modification C:\Windows\SysWOW64\Mnijnjbh.exe Mgoaap32.exe File created C:\Windows\SysWOW64\Encbem32.dll Hagepa32.exe File opened for modification C:\Windows\SysWOW64\Knpkhhhg.exe Kkaolm32.exe File opened for modification C:\Windows\SysWOW64\Mhfhaoec.exe Malpee32.exe File opened for modification C:\Windows\SysWOW64\Mdmhfpkg.exe Manljd32.exe File created C:\Windows\SysWOW64\Fjdnne32.exe Fkambhgf.exe File created C:\Windows\SysWOW64\Ifhgcgjq.exe Ibmkbh32.exe File created C:\Windows\SysWOW64\Fjfjcdln.exe Fclbgj32.exe File opened for modification C:\Windows\SysWOW64\Kfdfdf32.exe Jojnglco.exe File opened for modification C:\Windows\SysWOW64\Ikjlmjmp.exe Ihlpqonl.exe File created C:\Windows\SysWOW64\Aalbfa32.dll Fipdqmje.exe File opened for modification C:\Windows\SysWOW64\Gmlmpo32.exe Geddoa32.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Lckpbm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3984 3880 WerFault.exe 329 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnllnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlpqonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clinfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqhambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdblkoco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glaiak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophoecoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anndbnao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibadnhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkieogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqoaefke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeccdila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aialjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihjcko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leqeed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbilhkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacbdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfnjnin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcgapjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckloge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihedpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdajpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emggflfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmmidhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfihml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghfacem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpqemll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomglo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeakfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbplciof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpcdfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcbfnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papank32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbjbnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqfgh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnakj32.dll" Fcjeakfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckomcec.dll" Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqqdjceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lighjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oophlpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpocbfnp.dll" Abldccka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoajgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emggflfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehinpnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elejqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll" Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkambhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcocgkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihjghlh.dll" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Effhic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadhjaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodlloep.dll" Acpjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgiplffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epipql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollcee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqjhjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdlenkfg.dll" Dibhjokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlekja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebepc32.dll" Abbjbnoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elejqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjhnge.dll" Qfljmmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqhblj32.dll" Oophlpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1e1043136c714afb7cb2bf11069e1970N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbfhcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhniebne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipdqmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkphm32.dll" Lomglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmioapf.dll" Cpidai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikljfbm.dll" Fqnfkoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iboghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmlmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkpaokgq.dll" Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjqoee.dll" Fjdnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmmcgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihlpqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniiomgc.dll" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdecb32.dll" Panehkaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjffbhnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghfacem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmahec32.dll" Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcihik32.dll" Ogpjmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2596 2908 1e1043136c714afb7cb2bf11069e1970N.exe 30 PID 2908 wrote to memory of 2596 2908 1e1043136c714afb7cb2bf11069e1970N.exe 30 PID 2908 wrote to memory of 2596 2908 1e1043136c714afb7cb2bf11069e1970N.exe 30 PID 2908 wrote to memory of 2596 2908 1e1043136c714afb7cb2bf11069e1970N.exe 30 PID 2596 wrote to memory of 2804 2596 Qfhddn32.exe 31 PID 2596 wrote to memory of 2804 2596 Qfhddn32.exe 31 PID 2596 wrote to memory of 2804 2596 Qfhddn32.exe 31 PID 2596 wrote to memory of 2804 2596 Qfhddn32.exe 31 PID 2804 wrote to memory of 2920 2804 Qgiplffm.exe 32 PID 2804 wrote to memory of 2920 2804 Qgiplffm.exe 32 PID 2804 wrote to memory of 2920 2804 Qgiplffm.exe 32 PID 2804 wrote to memory of 2920 2804 Qgiplffm.exe 32 PID 2920 wrote to memory of 1932 2920 Aiimfi32.exe 33 PID 2920 wrote to memory of 1932 2920 Aiimfi32.exe 33 PID 2920 wrote to memory of 1932 2920 Aiimfi32.exe 33 PID 2920 wrote to memory of 1932 2920 Aiimfi32.exe 33 PID 1932 wrote to memory of 2684 1932 Aepnkjcd.exe 34 PID 1932 wrote to memory of 2684 1932 Aepnkjcd.exe 34 PID 1932 wrote to memory of 2684 1932 Aepnkjcd.exe 34 PID 1932 wrote to memory of 2684 1932 Aepnkjcd.exe 34 PID 2684 wrote to memory of 2676 2684 Agnjge32.exe 35 PID 2684 wrote to memory of 2676 2684 Agnjge32.exe 35 PID 2684 wrote to memory of 2676 2684 Agnjge32.exe 35 PID 2684 wrote to memory of 2676 2684 Agnjge32.exe 35 PID 2676 wrote to memory of 2188 2676 Aebjaj32.exe 36 PID 2676 wrote to memory of 2188 2676 Aebjaj32.exe 36 PID 2676 wrote to memory of 2188 2676 Aebjaj32.exe 36 PID 2676 wrote to memory of 2188 2676 Aebjaj32.exe 36 PID 2188 wrote to memory of 2968 2188 Agqfme32.exe 37 PID 2188 wrote to memory of 2968 2188 Agqfme32.exe 37 PID 2188 wrote to memory of 2968 2188 Agqfme32.exe 37 PID 2188 wrote to memory of 2968 2188 Agqfme32.exe 37 PID 2968 wrote to memory of 2172 2968 Agccbenc.exe 38 PID 2968 wrote to memory of 2172 2968 Agccbenc.exe 38 PID 2968 wrote to memory of 2172 2968 Agccbenc.exe 38 PID 2968 wrote to memory of 2172 2968 Agccbenc.exe 38 PID 2172 wrote to memory of 2948 2172 Ajapoqmf.exe 39 PID 2172 wrote to memory of 2948 2172 Ajapoqmf.exe 39 PID 2172 wrote to memory of 2948 2172 Ajapoqmf.exe 39 PID 2172 wrote to memory of 2948 2172 Ajapoqmf.exe 39 PID 2948 wrote to memory of 292 2948 Abldccka.exe 40 PID 2948 wrote to memory of 292 2948 Abldccka.exe 40 PID 2948 wrote to memory of 292 2948 Abldccka.exe 40 PID 2948 wrote to memory of 292 2948 Abldccka.exe 40 PID 292 wrote to memory of 1608 292 Aiflpm32.exe 41 PID 292 wrote to memory of 1608 292 Aiflpm32.exe 41 PID 292 wrote to memory of 1608 292 Aiflpm32.exe 41 PID 292 wrote to memory of 1608 292 Aiflpm32.exe 41 PID 1608 wrote to memory of 1436 1608 Bclqme32.exe 42 PID 1608 wrote to memory of 1436 1608 Bclqme32.exe 42 PID 1608 wrote to memory of 1436 1608 Bclqme32.exe 42 PID 1608 wrote to memory of 1436 1608 Bclqme32.exe 42 PID 1436 wrote to memory of 1108 1436 Bfjmia32.exe 43 PID 1436 wrote to memory of 1108 1436 Bfjmia32.exe 43 PID 1436 wrote to memory of 1108 1436 Bfjmia32.exe 43 PID 1436 wrote to memory of 1108 1436 Bfjmia32.exe 43 PID 1108 wrote to memory of 2324 1108 Bbannb32.exe 44 PID 1108 wrote to memory of 2324 1108 Bbannb32.exe 44 PID 1108 wrote to memory of 2324 1108 Bbannb32.exe 44 PID 1108 wrote to memory of 2324 1108 Bbannb32.exe 44 PID 2324 wrote to memory of 1924 2324 Bikfklni.exe 45 PID 2324 wrote to memory of 1924 2324 Bikfklni.exe 45 PID 2324 wrote to memory of 1924 2324 Bikfklni.exe 45 PID 2324 wrote to memory of 1924 2324 Bikfklni.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e1043136c714afb7cb2bf11069e1970N.exe"C:\Users\Admin\AppData\Local\Temp\1e1043136c714afb7cb2bf11069e1970N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Qfhddn32.exeC:\Windows\system32\Qfhddn32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Agnjge32.exeC:\Windows\system32\Agnjge32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Bfjmia32.exeC:\Windows\system32\Bfjmia32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe34⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe35⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe36⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Deiipp32.exeC:\Windows\system32\Deiipp32.exe41⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe45⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe46⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe47⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Egchmfnd.exeC:\Windows\system32\Egchmfnd.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe58⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Ejdaoa32.exeC:\Windows\system32\Ejdaoa32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe62⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe64⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Elejqm32.exeC:\Windows\system32\Elejqm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe67⤵PID:1004
-
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe68⤵PID:2020
-
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe72⤵PID:2236
-
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Fkldgi32.exeC:\Windows\system32\Fkldgi32.exe74⤵PID:1692
-
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe76⤵PID:540
-
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe78⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe79⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe84⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe87⤵PID:2708
-
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe88⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe89⤵PID:1392
-
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe90⤵PID:796
-
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe91⤵PID:2868
-
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe92⤵PID:3028
-
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe93⤵PID:1696
-
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe95⤵PID:2388
-
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe96⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe100⤵PID:2240
-
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe101⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe103⤵PID:1728
-
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe106⤵PID:2120
-
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe107⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe108⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe109⤵PID:620
-
C:\Windows\SysWOW64\Hhjgll32.exeC:\Windows\system32\Hhjgll32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe112⤵PID:2656
-
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe114⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe115⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe116⤵PID:3004
-
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe117⤵PID:2380
-
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe118⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe119⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe121⤵PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-