Analysis
-
max time kernel
114s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 13:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe
-
Size
64KB
-
MD5
06d5ef3a1fd4e6f7b2b8efc79f7291d0
-
SHA1
d94a9b02f68fc7d2d5dd3b23bd118271165c57ae
-
SHA256
8610e83cdd12f4833297ede426f7b524342d67ef27234d87461cf9739c565bc5
-
SHA512
24e558de7feab7b6480403127aee9fac020f82a7f992d77b2879ac1e11f359d3c5ac96bea5e38c900e0ef7a02a2a373b644e61f888c187e645f928c9c4211cea
-
SSDEEP
1536:cssq1hGOOoB2JJgDvZ9LNqSmCuFwl82LYrDWBi:RsqnGOf3DrBqW6wfY2Bi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnagijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkfilp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcignoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioochn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfdmogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klocba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbiggof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepeep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmecm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldangbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfffk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkolblkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohoogbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akejdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agchdfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febmfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphmbolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnimeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkkbcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebcqicem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgemgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhjdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljhmmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpmhdqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcedbefd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhmhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hopgikop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogpmcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blklfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djffihmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjbjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maejpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnefiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjndca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfhqmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enjand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiojqfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbadifn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjpdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkbgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpieli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpedmhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dippfplg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddmkkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfqbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffcbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioochn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjbphod.exe -
Executes dropped EXE 64 IoCs
pid Process 2692 Adekhkng.exe 2300 Agchdfmk.exe 2812 Aefhpc32.exe 2728 Aefhpc32.exe 2804 Bgfdjfkh.exe 2608 Bjdqfajl.exe 3044 Bpnibl32.exe 1136 Bfkakbpp.exe 1772 Blejgm32.exe 1668 Bcobdgoj.exe 2856 Bdpnlo32.exe 1328 Blgfml32.exe 1584 Bnicddki.exe 1932 Bdbkaoce.exe 2004 Bhngbm32.exe 2204 Bohoogbk.exe 2992 Bhqdgm32.exe 236 Bgcdcjpf.exe 1228 Cbihpbpl.exe 1540 Ccjehkek.exe 1560 Cjdmee32.exe 924 Cqneaodd.exe 1372 Ccmanjch.exe 1276 Cfknjfbl.exe 876 Cmeffp32.exe 2064 Cqqbgoba.exe 2644 Cconcjae.exe 2872 Cjifpdib.exe 2604 Cmgblphf.exe 2444 Cofohkgi.exe 2940 Cjkcedgp.exe 1952 Cincaq32.exe 1124 Dfbdje32.exe 828 Dippfplg.exe 2320 Dkolblkk.exe 2904 Dnmhogjo.exe 1156 Dfdqpdja.exe 1072 Degqka32.exe 2440 Dgemgm32.exe 2292 Dkaihkih.exe 3004 Dnpedghl.exe 884 Dbkaee32.exe 2432 Danaqbgp.exe 1248 Dieiap32.exe 1700 Dlcfnk32.exe 2468 Djffihmp.exe 2212 Dnbbjf32.exe 2324 Dapnfb32.exe 2816 Deljfqmf.exe 2936 Dgjfbllj.exe 2656 Dlfbck32.exe 2740 Dmgokcja.exe 2792 Denglpkc.exe 2188 Dcaghm32.exe 1892 Dhmchljg.exe 1576 Dfpcdh32.exe 2924 Dnfkefad.exe 1340 Emilqb32.exe 2592 Ephhmn32.exe 2200 Ehopnk32.exe 912 Efbpihoo.exe 1748 Ejmljg32.exe 2976 Emlhfb32.exe 1724 Epjdbn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2528 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe 2528 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe 2692 Adekhkng.exe 2692 Adekhkng.exe 2300 Agchdfmk.exe 2300 Agchdfmk.exe 2812 Aefhpc32.exe 2812 Aefhpc32.exe 2728 Aefhpc32.exe 2728 Aefhpc32.exe 2804 Bgfdjfkh.exe 2804 Bgfdjfkh.exe 2608 Bjdqfajl.exe 2608 Bjdqfajl.exe 3044 Bpnibl32.exe 3044 Bpnibl32.exe 1136 Bfkakbpp.exe 1136 Bfkakbpp.exe 1772 Blejgm32.exe 1772 Blejgm32.exe 1668 Bcobdgoj.exe 1668 Bcobdgoj.exe 2856 Bdpnlo32.exe 2856 Bdpnlo32.exe 1328 Blgfml32.exe 1328 Blgfml32.exe 1584 Bnicddki.exe 1584 Bnicddki.exe 1932 Bdbkaoce.exe 1932 Bdbkaoce.exe 2004 Bhngbm32.exe 2004 Bhngbm32.exe 2204 Bohoogbk.exe 2204 Bohoogbk.exe 2992 Bhqdgm32.exe 2992 Bhqdgm32.exe 236 Bgcdcjpf.exe 236 Bgcdcjpf.exe 1228 Cbihpbpl.exe 1228 Cbihpbpl.exe 1540 Ccjehkek.exe 1540 Ccjehkek.exe 1560 Cjdmee32.exe 1560 Cjdmee32.exe 924 Cqneaodd.exe 924 Cqneaodd.exe 1372 Ccmanjch.exe 1372 Ccmanjch.exe 1276 Cfknjfbl.exe 1276 Cfknjfbl.exe 876 Cmeffp32.exe 876 Cmeffp32.exe 2064 Cqqbgoba.exe 2064 Cqqbgoba.exe 2644 Cconcjae.exe 2644 Cconcjae.exe 2872 Cjifpdib.exe 2872 Cjifpdib.exe 2604 Cmgblphf.exe 2604 Cmgblphf.exe 2444 Cofohkgi.exe 2444 Cofohkgi.exe 2940 Cjkcedgp.exe 2940 Cjkcedgp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Laqadknn.exe Lobehpok.exe File created C:\Windows\SysWOW64\Mpmfdi32.dll Mknohpqj.exe File created C:\Windows\SysWOW64\Bifmdh32.dll Mkplnp32.exe File created C:\Windows\SysWOW64\Dcijmhdj.exe Ddfjak32.exe File created C:\Windows\SysWOW64\Dgemgm32.exe Degqka32.exe File opened for modification C:\Windows\SysWOW64\Fmbkfd32.exe Figoefkf.exe File created C:\Windows\SysWOW64\Nkmkgc32.exe Njlopkmg.exe File created C:\Windows\SysWOW64\Dkaihkih.exe Dgemgm32.exe File opened for modification C:\Windows\SysWOW64\Gljdlq32.exe Gngdadoj.exe File created C:\Windows\SysWOW64\Piaebfcm.dll Nmmgafjh.exe File created C:\Windows\SysWOW64\Dmaoem32.exe Dnonjqdq.exe File created C:\Windows\SysWOW64\Ccmpff32.dll Lihifhoq.exe File opened for modification C:\Windows\SysWOW64\Meafpibb.exe Maejpj32.exe File opened for modification C:\Windows\SysWOW64\Cclkcdpl.exe Copobe32.exe File created C:\Windows\SysWOW64\Efllcf32.exe Ehilgikj.exe File opened for modification C:\Windows\SysWOW64\Gphmbolk.exe Ghaeaaki.exe File created C:\Windows\SysWOW64\Ijbjpg32.exe Ifgooikk.exe File created C:\Windows\SysWOW64\Blklfk32.exe Bjlpjp32.exe File opened for modification C:\Windows\SysWOW64\Hobcok32.exe Hgkknm32.exe File opened for modification C:\Windows\SysWOW64\Bncboo32.exe Boqbcbeh.exe File opened for modification C:\Windows\SysWOW64\Bfkakbpp.exe Bpnibl32.exe File created C:\Windows\SysWOW64\Ckilmfke.exe Chkpakla.exe File created C:\Windows\SysWOW64\Bjnbiqik.dll Ghnaaljp.exe File created C:\Windows\SysWOW64\Obfoioei.dll Hkidclbb.exe File created C:\Windows\SysWOW64\Ocdohdfc.exe Opicgenj.exe File opened for modification C:\Windows\SysWOW64\Ommdqi32.exe Ojnhdn32.exe File opened for modification C:\Windows\SysWOW64\Obilip32.exe Opkpme32.exe File created C:\Windows\SysWOW64\Fabppo32.exe Fncddc32.exe File created C:\Windows\SysWOW64\Iicbdnjn.dll Dgefmf32.exe File created C:\Windows\SysWOW64\Pbanhfjd.dll Elcbmn32.exe File created C:\Windows\SysWOW64\Jecnpg32.exe Jbdadl32.exe File opened for modification C:\Windows\SysWOW64\Cnekcblk.exe Cobkhe32.exe File opened for modification C:\Windows\SysWOW64\Eckcak32.exe Eeicenni.exe File opened for modification C:\Windows\SysWOW64\Lknbjlnn.exe Lbgkhoml.exe File created C:\Windows\SysWOW64\Aefhpc32.exe Agchdfmk.exe File created C:\Windows\SysWOW64\Jmhile32.exe Jjimpj32.exe File created C:\Windows\SysWOW64\Ajmdmpmb.dll Blpibghg.exe File opened for modification C:\Windows\SysWOW64\Efifjg32.exe Eoanij32.exe File created C:\Windows\SysWOW64\Ommdqi32.exe Ojnhdn32.exe File created C:\Windows\SysWOW64\Chkmhc32.dll Aefaemqj.exe File created C:\Windows\SysWOW64\Qmffaheh.dll Cfjgopop.exe File opened for modification C:\Windows\SysWOW64\Ghnaaljp.exe Gdbeqmag.exe File created C:\Windows\SysWOW64\Bjaeambn.dll Bjdqfajl.exe File created C:\Windows\SysWOW64\Hceebpid.dll Homfboco.exe File created C:\Windows\SysWOW64\Mhmcao32.dll Kehgkgha.exe File created C:\Windows\SysWOW64\Jommmbhn.dll Ojjnioae.exe File created C:\Windows\SysWOW64\Elaego32.exe Ejpipf32.exe File opened for modification C:\Windows\SysWOW64\Edhmhl32.exe Epmahmcm.exe File created C:\Windows\SysWOW64\Qpaknfnf.dll Gdbeqmag.exe File created C:\Windows\SysWOW64\Ajclkk32.dll Cmgblphf.exe File created C:\Windows\SysWOW64\Gpjlpa32.dll Ifgooikk.exe File created C:\Windows\SysWOW64\Bimkbqpd.dll Oncndnlq.exe File created C:\Windows\SysWOW64\Jlpjpc32.dll Jjbgok32.exe File opened for modification C:\Windows\SysWOW64\Cbagdq32.exe Cnekcblk.exe File created C:\Windows\SysWOW64\Ghnaaljp.exe Gdbeqmag.exe File created C:\Windows\SysWOW64\Cmeffp32.exe Cfknjfbl.exe File created C:\Windows\SysWOW64\Eigbfb32.exe Efifjg32.exe File created C:\Windows\SysWOW64\Iefbpdca.dll Hgpeimhf.exe File opened for modification C:\Windows\SysWOW64\Dgjfbllj.exe Deljfqmf.exe File created C:\Windows\SysWOW64\Napdqm32.dll Epakcm32.exe File created C:\Windows\SysWOW64\Glajmppm.exe Gdjblboj.exe File opened for modification C:\Windows\SysWOW64\Fhgkqmph.exe Fidkep32.exe File created C:\Windows\SysWOW64\Nkgkop32.dll Bjjcdp32.exe File opened for modification C:\Windows\SysWOW64\Dqpgll32.exe Djfooa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6396 6372 WerFault.exe 591 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkmho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqbcbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjehkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foacmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goemhfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figoefkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjchfaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjpdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maejpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjbdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefaemqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmceomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjcncak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmgobfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckdcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmlfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkiemqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnomfqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmada32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadcdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjjjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebpgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjgopop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjifpdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emilqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onggom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phphgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fillabde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efllcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpieli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqajqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cconcjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laenqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdophn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdmahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmchljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcfle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffoihepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efifjg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlfbck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bncboo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnagijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldhldpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhldahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgkqmph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkphmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpfmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnlkdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmomelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkmhc32.dll" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbahk32.dll" Blmikkle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apdobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbhmehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlhdm32.dll" Gmegkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Homfboco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapljd32.dll" Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjknh32.dll" Eipekmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkmkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himgihno.dll" Gomjckqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaaeegkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmklico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdmqoad.dll" Fomndhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efbpihoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhqbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikhqbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppedfk32.dll" Dbkaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpnifnh.dll" Denglpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oblmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfplmh32.dll" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjefkgd.dll" Mjcljlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijbqion.dll" Pnefiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdcdjcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmdnmic.dll" Kbgnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjaimek.dll" Pbnfdpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbadcdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdmpmb.dll" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elaego32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeiad32.dll" Cjifpdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajclkk32.dll" Cmgblphf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlfjjpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmadecm.dll" Qajiek32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2692 2528 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe 29 PID 2528 wrote to memory of 2692 2528 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe 29 PID 2528 wrote to memory of 2692 2528 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe 29 PID 2528 wrote to memory of 2692 2528 06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe 29 PID 2692 wrote to memory of 2300 2692 Adekhkng.exe 30 PID 2692 wrote to memory of 2300 2692 Adekhkng.exe 30 PID 2692 wrote to memory of 2300 2692 Adekhkng.exe 30 PID 2692 wrote to memory of 2300 2692 Adekhkng.exe 30 PID 2300 wrote to memory of 2812 2300 Agchdfmk.exe 31 PID 2300 wrote to memory of 2812 2300 Agchdfmk.exe 31 PID 2300 wrote to memory of 2812 2300 Agchdfmk.exe 31 PID 2300 wrote to memory of 2812 2300 Agchdfmk.exe 31 PID 2812 wrote to memory of 2728 2812 Aefhpc32.exe 32 PID 2812 wrote to memory of 2728 2812 Aefhpc32.exe 32 PID 2812 wrote to memory of 2728 2812 Aefhpc32.exe 32 PID 2812 wrote to memory of 2728 2812 Aefhpc32.exe 32 PID 2728 wrote to memory of 2804 2728 Aefhpc32.exe 33 PID 2728 wrote to memory of 2804 2728 Aefhpc32.exe 33 PID 2728 wrote to memory of 2804 2728 Aefhpc32.exe 33 PID 2728 wrote to memory of 2804 2728 Aefhpc32.exe 33 PID 2804 wrote to memory of 2608 2804 Bgfdjfkh.exe 34 PID 2804 wrote to memory of 2608 2804 Bgfdjfkh.exe 34 PID 2804 wrote to memory of 2608 2804 Bgfdjfkh.exe 34 PID 2804 wrote to memory of 2608 2804 Bgfdjfkh.exe 34 PID 2608 wrote to memory of 3044 2608 Bjdqfajl.exe 35 PID 2608 wrote to memory of 3044 2608 Bjdqfajl.exe 35 PID 2608 wrote to memory of 3044 2608 Bjdqfajl.exe 35 PID 2608 wrote to memory of 3044 2608 Bjdqfajl.exe 35 PID 3044 wrote to memory of 1136 3044 Bpnibl32.exe 36 PID 3044 wrote to memory of 1136 3044 Bpnibl32.exe 36 PID 3044 wrote to memory of 1136 3044 Bpnibl32.exe 36 PID 3044 wrote to memory of 1136 3044 Bpnibl32.exe 36 PID 1136 wrote to memory of 1772 1136 Bfkakbpp.exe 37 PID 1136 wrote to memory of 1772 1136 Bfkakbpp.exe 37 PID 1136 wrote to memory of 1772 1136 Bfkakbpp.exe 37 PID 1136 wrote to memory of 1772 1136 Bfkakbpp.exe 37 PID 1772 wrote to memory of 1668 1772 Blejgm32.exe 38 PID 1772 wrote to memory of 1668 1772 Blejgm32.exe 38 PID 1772 wrote to memory of 1668 1772 Blejgm32.exe 38 PID 1772 wrote to memory of 1668 1772 Blejgm32.exe 38 PID 1668 wrote to memory of 2856 1668 Bcobdgoj.exe 39 PID 1668 wrote to memory of 2856 1668 Bcobdgoj.exe 39 PID 1668 wrote to memory of 2856 1668 Bcobdgoj.exe 39 PID 1668 wrote to memory of 2856 1668 Bcobdgoj.exe 39 PID 2856 wrote to memory of 1328 2856 Bdpnlo32.exe 40 PID 2856 wrote to memory of 1328 2856 Bdpnlo32.exe 40 PID 2856 wrote to memory of 1328 2856 Bdpnlo32.exe 40 PID 2856 wrote to memory of 1328 2856 Bdpnlo32.exe 40 PID 1328 wrote to memory of 1584 1328 Blgfml32.exe 41 PID 1328 wrote to memory of 1584 1328 Blgfml32.exe 41 PID 1328 wrote to memory of 1584 1328 Blgfml32.exe 41 PID 1328 wrote to memory of 1584 1328 Blgfml32.exe 41 PID 1584 wrote to memory of 1932 1584 Bnicddki.exe 42 PID 1584 wrote to memory of 1932 1584 Bnicddki.exe 42 PID 1584 wrote to memory of 1932 1584 Bnicddki.exe 42 PID 1584 wrote to memory of 1932 1584 Bnicddki.exe 42 PID 1932 wrote to memory of 2004 1932 Bdbkaoce.exe 43 PID 1932 wrote to memory of 2004 1932 Bdbkaoce.exe 43 PID 1932 wrote to memory of 2004 1932 Bdbkaoce.exe 43 PID 1932 wrote to memory of 2004 1932 Bdbkaoce.exe 43 PID 2004 wrote to memory of 2204 2004 Bhngbm32.exe 44 PID 2004 wrote to memory of 2204 2004 Bhngbm32.exe 44 PID 2004 wrote to memory of 2204 2004 Bhngbm32.exe 44 PID 2004 wrote to memory of 2204 2004 Bhngbm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe"C:\Users\Admin\AppData\Local\Temp\06d5ef3a1fd4e6f7b2b8efc79f7291d0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe33⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe34⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe37⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe38⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe41⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe42⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe44⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe45⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Dlcfnk32.exeC:\Windows\system32\Dlcfnk32.exe46⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe48⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe49⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe53⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe58⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe60⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe61⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe63⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe64⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe65⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe66⤵PID:928
-
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe68⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe69⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe72⤵PID:2060
-
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe73⤵PID:964
-
C:\Windows\SysWOW64\Emqaaabg.exeC:\Windows\system32\Emqaaabg.exe74⤵PID:2072
-
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe75⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe78⤵PID:2160
-
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe79⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe80⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe81⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe83⤵PID:624
-
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe84⤵PID:2524
-
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe85⤵PID:1400
-
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe86⤵PID:2760
-
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe87⤵PID:2864
-
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe88⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe91⤵PID:2012
-
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe93⤵PID:1080
-
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe95⤵PID:2508
-
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe96⤵PID:584
-
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe97⤵PID:1624
-
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe98⤵PID:700
-
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe99⤵PID:1796
-
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe101⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe102⤵PID:3040
-
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe103⤵PID:3052
-
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe104⤵PID:640
-
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe107⤵PID:2220
-
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe108⤵PID:2492
-
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe109⤵PID:2280
-
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe110⤵PID:2480
-
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe111⤵PID:896
-
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe112⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe113⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe114⤵PID:2088
-
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe115⤵PID:1824
-
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe117⤵PID:2272
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe118⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe119⤵PID:2008
-
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe120⤵PID:1640
-
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe121⤵PID:2836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-