Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 11:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
046665e8e68626cb96007f5ef5ce4fe0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
046665e8e68626cb96007f5ef5ce4fe0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
046665e8e68626cb96007f5ef5ce4fe0N.exe
-
Size
400KB
-
MD5
046665e8e68626cb96007f5ef5ce4fe0
-
SHA1
6058e000d705fcac9789b022c04dd7d9e4ea722e
-
SHA256
7843fb171a00e21e8a35f605c706a84ee9f899dfae022d5e317ace1b8a87ae2f
-
SHA512
2f90482b812e1deb0c34e9ef7cd0c4cc5c5c52fa0ed6d0534668ee7516126ba0376303b098cdf4552e179e483314f4165f4e8a42930437e1832309818a7c4874
-
SSDEEP
12288:Q+aOdpGvH6IveDVqvQ6IvYvc6IveDVqvQ/:xpGq5h3q5h/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnjipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glongpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjngnod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlijan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galfpgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflhjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmomelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmada32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakcan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnflmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohkhjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faljqcmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpndkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnbccia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabppo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giakoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlnghj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdaal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jollgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdhigo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkiemqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcqoqeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfbcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbajci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmeffp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnakege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eekpknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lebcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnppei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmhmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobehpok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpedmhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dieiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdpjgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmobpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahlpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpnmhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgpea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgemgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccbnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjifpdib.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Mfdjpo32.exe 2248 Mkqbhf32.exe 2840 Mbkkepio.exe 3020 Nndhpqma.exe 2312 Nqdaal32.exe 2648 Nnhakp32.exe 2168 Njobpa32.exe 2200 Nplkhh32.exe 2480 Ncjcnfcn.exe 2348 Nfhpjaba.exe 1872 Opcaiggo.exe 2976 Oepianef.exe 996 Ohqbbi32.exe 908 Obffpa32.exe 2252 Oakcan32.exe 2380 Pfhlie32.exe 2068 Ppqqbjkm.exe 1560 Papmlmbp.exe 1992 Pljnmkoo.exe 1620 Pdqfnhpa.exe 2196 Pbcfie32.exe 2808 Pmijgn32.exe 1584 Pfaopc32.exe 2488 Pipklo32.exe 1556 Qlnghj32.exe 1644 Qeglqpaj.exe 2828 Qhehmkqn.exe 2284 Qbkljd32.exe 2980 Ahgdbk32.exe 2920 Amdmkb32.exe 2732 Akhndf32.exe 2668 Anfjpa32.exe 1196 Aabfqp32.exe 2560 Aimkeb32.exe 2328 Aadbfp32.exe 592 Akmgoehg.exe 2372 Achlch32.exe 1056 Aefhpc32.exe 1036 Bgfdjfkh.exe 2148 Bjdqfajl.exe 2424 Bpnibl32.exe 1312 Bapejd32.exe 1108 Bhjngnod.exe 1968 Blejgm32.exe 1864 Bcobdgoj.exe 3068 Bfnnpbnn.exe 2112 Bhljlnma.exe 1712 Bofbih32.exe 1636 Bfpkfb32.exe 2768 Bhngbm32.exe 2744 Bohoogbk.exe 2960 Bhqdgm32.exe 2588 Bgcdcjpf.exe 2204 Cnmlpd32.exe 2156 Cqlhlo32.exe 2324 Ccjehkek.exe 2868 Cnpieceq.exe 1360 Cmbiap32.exe 1588 Cdjabn32.exe 3048 Cghmni32.exe 2468 Cjfjjd32.exe 944 Cmeffp32.exe 1976 Cgjjdijo.exe 2576 Cjifpdib.exe -
Loads dropped DLL 64 IoCs
pid Process 588 046665e8e68626cb96007f5ef5ce4fe0N.exe 588 046665e8e68626cb96007f5ef5ce4fe0N.exe 2088 Mfdjpo32.exe 2088 Mfdjpo32.exe 2248 Mkqbhf32.exe 2248 Mkqbhf32.exe 2840 Mbkkepio.exe 2840 Mbkkepio.exe 3020 Nndhpqma.exe 3020 Nndhpqma.exe 2312 Nqdaal32.exe 2312 Nqdaal32.exe 2648 Nnhakp32.exe 2648 Nnhakp32.exe 2168 Njobpa32.exe 2168 Njobpa32.exe 2200 Nplkhh32.exe 2200 Nplkhh32.exe 2480 Ncjcnfcn.exe 2480 Ncjcnfcn.exe 2348 Nfhpjaba.exe 2348 Nfhpjaba.exe 1872 Opcaiggo.exe 1872 Opcaiggo.exe 2976 Oepianef.exe 2976 Oepianef.exe 996 Ohqbbi32.exe 996 Ohqbbi32.exe 908 Obffpa32.exe 908 Obffpa32.exe 2252 Oakcan32.exe 2252 Oakcan32.exe 2380 Pfhlie32.exe 2380 Pfhlie32.exe 2068 Ppqqbjkm.exe 2068 Ppqqbjkm.exe 1560 Papmlmbp.exe 1560 Papmlmbp.exe 1992 Pljnmkoo.exe 1992 Pljnmkoo.exe 1620 Pdqfnhpa.exe 1620 Pdqfnhpa.exe 2196 Pbcfie32.exe 2196 Pbcfie32.exe 2808 Pmijgn32.exe 2808 Pmijgn32.exe 1584 Pfaopc32.exe 1584 Pfaopc32.exe 2488 Pipklo32.exe 2488 Pipklo32.exe 1556 Qlnghj32.exe 1556 Qlnghj32.exe 1644 Qeglqpaj.exe 1644 Qeglqpaj.exe 2828 Qhehmkqn.exe 2828 Qhehmkqn.exe 2284 Qbkljd32.exe 2284 Qbkljd32.exe 2980 Ahgdbk32.exe 2980 Ahgdbk32.exe 2920 Amdmkb32.exe 2920 Amdmkb32.exe 2732 Akhndf32.exe 2732 Akhndf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ledpjdid.exe Lbfdnijp.exe File created C:\Windows\SysWOW64\Okipcb32.dll Gjpakdbl.exe File created C:\Windows\SysWOW64\Galfpgpg.exe Gomjckqc.exe File opened for modification C:\Windows\SysWOW64\Hmlmacfn.exe Hjnaehgj.exe File opened for modification C:\Windows\SysWOW64\Aihjpman.exe Akejdp32.exe File created C:\Windows\SysWOW64\Ippbkjgn.dll Eeameodq.exe File created C:\Windows\SysWOW64\Aljcblpk.dll Jigmeagl.exe File opened for modification C:\Windows\SysWOW64\Deimaa32.exe Dnpedghl.exe File created C:\Windows\SysWOW64\Iqgaenpf.dll Hgkknm32.exe File created C:\Windows\SysWOW64\Ilaikehi.dll Ngkfnp32.exe File created C:\Windows\SysWOW64\Hnmcne32.exe Hkngbj32.exe File created C:\Windows\SysWOW64\Joaebkni.exe Jigmeagl.exe File created C:\Windows\SysWOW64\Nhfpbaoe.dll Kakdpb32.exe File created C:\Windows\SysWOW64\Dlicoiod.dll Qhehmkqn.exe File created C:\Windows\SysWOW64\Hibgakob.dll Fdhigo32.exe File created C:\Windows\SysWOW64\Qoobod32.dll Mjeholco.exe File created C:\Windows\SysWOW64\Dcgmgh32.exe Dqiakm32.exe File created C:\Windows\SysWOW64\Ejeknelp.exe Eckcak32.exe File created C:\Windows\SysWOW64\Eedmheda.dll Qfganb32.exe File created C:\Windows\SysWOW64\Dqiakm32.exe Dbfaopqo.exe File created C:\Windows\SysWOW64\Beoanjep.dll Faopib32.exe File opened for modification C:\Windows\SysWOW64\Cohlnkeg.exe Cklpml32.exe File created C:\Windows\SysWOW64\Iefbpdca.dll Hdailaib.exe File created C:\Windows\SysWOW64\Mjhlmifm.dll Knkbimbg.exe File opened for modification C:\Windows\SysWOW64\Lckdcn32.exe Lpmhgc32.exe File created C:\Windows\SysWOW64\Ojgado32.exe Odjikh32.exe File created C:\Windows\SysWOW64\Gaaicjed.dll Idnako32.exe File opened for modification C:\Windows\SysWOW64\Elleai32.exe Eeameodq.exe File created C:\Windows\SysWOW64\Eekpknlf.exe Enagnc32.exe File opened for modification C:\Windows\SysWOW64\Fooghg32.exe Flpkll32.exe File opened for modification C:\Windows\SysWOW64\Bofbih32.exe Bhljlnma.exe File opened for modification C:\Windows\SysWOW64\Pbcooo32.exe Phmkaf32.exe File created C:\Windows\SysWOW64\Ahqedfmd.dll Qfedhb32.exe File opened for modification C:\Windows\SysWOW64\Aahhoo32.exe Abehcbci.exe File created C:\Windows\SysWOW64\Dqpgll32.exe Dihojnqo.exe File created C:\Windows\SysWOW64\Mfmffpjl.dll Jollgl32.exe File created C:\Windows\SysWOW64\Gepeep32.exe Glgqlkdl.exe File created C:\Windows\SysWOW64\Kcgdgnmc.exe Kplhfo32.exe File created C:\Windows\SysWOW64\Kalkjh32.exe Kononm32.exe File created C:\Windows\SysWOW64\Mhaobd32.exe Mahgejhf.exe File created C:\Windows\SysWOW64\Oahpahel.exe Oiahpkdj.exe File opened for modification C:\Windows\SysWOW64\Pmamliin.exe Pblinp32.exe File created C:\Windows\SysWOW64\Fmjgnb32.dll Cbagdq32.exe File created C:\Windows\SysWOW64\Encjfc32.dll Kiojqfdp.exe File opened for modification C:\Windows\SysWOW64\Bkefcc32.exe Bgijbede.exe File opened for modification C:\Windows\SysWOW64\Ledpjdid.exe Lbfdnijp.exe File created C:\Windows\SysWOW64\Nnhakp32.exe Nqdaal32.exe File created C:\Windows\SysWOW64\Jnbbgfli.dll Eigbfb32.exe File created C:\Windows\SysWOW64\Nqalkike.dll Ebpgoh32.exe File created C:\Windows\SysWOW64\Jfnaok32.exe Jbbenlof.exe File created C:\Windows\SysWOW64\Bigngdee.dll Jecnpg32.exe File created C:\Windows\SysWOW64\Pbcooo32.exe Phmkaf32.exe File created C:\Windows\SysWOW64\Bdpgai32.exe Bjjcdp32.exe File created C:\Windows\SysWOW64\Ilgdco32.dll Cgcmiclk.exe File created C:\Windows\SysWOW64\Ghndbeeo.dll Dnmhogjo.exe File created C:\Windows\SysWOW64\Ehopnk32.exe Eaegaaah.exe File opened for modification C:\Windows\SysWOW64\Hkdkhl32.exe Galfpgpg.exe File created C:\Windows\SysWOW64\Kgqffm32.dll Iecaad32.exe File created C:\Windows\SysWOW64\Mdajff32.exe Mcpmonea.exe File created C:\Windows\SysWOW64\Hldpfnij.exe Hnapja32.exe File created C:\Windows\SysWOW64\Hccbnhla.exe Hlijan32.exe File created C:\Windows\SysWOW64\Idmkjp32.dll Lllkaobc.exe File created C:\Windows\SysWOW64\Lbfdnijp.exe Lojhmjag.exe File created C:\Windows\SysWOW64\Hnfdjdpm.dll Elleai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4632 6084 WerFault.exe 536 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdmogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmbbkij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmelfeqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihjpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkojcgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhmhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmomelml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfigdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgefmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnealbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjopnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkoojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbfhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgogfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djaedbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laenqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imifpagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhficcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giakoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobehpok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdohdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceganoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkigbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpnmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbilmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jollgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmamliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgijbede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohoogbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiafff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joaebkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lakqoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejppj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkklflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohjnf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkahbkgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljnmkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booganog.dll" Iiekkdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kehgkgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmbqj32.dll" Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbickmoq.dll" Eckcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfdmogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnodmpll.dll" Oahpahel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pembpkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcmiclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifnkg32.dll" Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjddkg32.dll" Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aledbn32.dll" Ohqbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dippfplg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilicbg32.dll" Hjkneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeglqpaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpcgm32.dll" Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfblk32.dll" Jgnflmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeoapde.dll" Kfccmini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgfdjfkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfeljlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjeoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epinhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Febmfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmklad32.dll" Bgijbede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbcpo32.dll" Lhnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcdcjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giakoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjmqekgm.dll" Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqddlfbf.dll" Klmfmacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlleon32.dll" Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lindbn32.dll" Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglmdppi.dll" Dnmada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngllhqkp.dll" Ejpipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfiofefm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhljnhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmceomm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Likbpceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmnepnb.dll" Lheilofe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chidkl32.dll" Bhjngnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofhgafa.dll" Gpfpmonn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jffddfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccmfg32.dll" Bfpkfb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 588 wrote to memory of 2088 588 046665e8e68626cb96007f5ef5ce4fe0N.exe 29 PID 588 wrote to memory of 2088 588 046665e8e68626cb96007f5ef5ce4fe0N.exe 29 PID 588 wrote to memory of 2088 588 046665e8e68626cb96007f5ef5ce4fe0N.exe 29 PID 588 wrote to memory of 2088 588 046665e8e68626cb96007f5ef5ce4fe0N.exe 29 PID 2088 wrote to memory of 2248 2088 Mfdjpo32.exe 30 PID 2088 wrote to memory of 2248 2088 Mfdjpo32.exe 30 PID 2088 wrote to memory of 2248 2088 Mfdjpo32.exe 30 PID 2088 wrote to memory of 2248 2088 Mfdjpo32.exe 30 PID 2248 wrote to memory of 2840 2248 Mkqbhf32.exe 31 PID 2248 wrote to memory of 2840 2248 Mkqbhf32.exe 31 PID 2248 wrote to memory of 2840 2248 Mkqbhf32.exe 31 PID 2248 wrote to memory of 2840 2248 Mkqbhf32.exe 31 PID 2840 wrote to memory of 3020 2840 Mbkkepio.exe 32 PID 2840 wrote to memory of 3020 2840 Mbkkepio.exe 32 PID 2840 wrote to memory of 3020 2840 Mbkkepio.exe 32 PID 2840 wrote to memory of 3020 2840 Mbkkepio.exe 32 PID 3020 wrote to memory of 2312 3020 Nndhpqma.exe 33 PID 3020 wrote to memory of 2312 3020 Nndhpqma.exe 33 PID 3020 wrote to memory of 2312 3020 Nndhpqma.exe 33 PID 3020 wrote to memory of 2312 3020 Nndhpqma.exe 33 PID 2312 wrote to memory of 2648 2312 Nqdaal32.exe 34 PID 2312 wrote to memory of 2648 2312 Nqdaal32.exe 34 PID 2312 wrote to memory of 2648 2312 Nqdaal32.exe 34 PID 2312 wrote to memory of 2648 2312 Nqdaal32.exe 34 PID 2648 wrote to memory of 2168 2648 Nnhakp32.exe 35 PID 2648 wrote to memory of 2168 2648 Nnhakp32.exe 35 PID 2648 wrote to memory of 2168 2648 Nnhakp32.exe 35 PID 2648 wrote to memory of 2168 2648 Nnhakp32.exe 35 PID 2168 wrote to memory of 2200 2168 Njobpa32.exe 36 PID 2168 wrote to memory of 2200 2168 Njobpa32.exe 36 PID 2168 wrote to memory of 2200 2168 Njobpa32.exe 36 PID 2168 wrote to memory of 2200 2168 Njobpa32.exe 36 PID 2200 wrote to memory of 2480 2200 Nplkhh32.exe 37 PID 2200 wrote to memory of 2480 2200 Nplkhh32.exe 37 PID 2200 wrote to memory of 2480 2200 Nplkhh32.exe 37 PID 2200 wrote to memory of 2480 2200 Nplkhh32.exe 37 PID 2480 wrote to memory of 2348 2480 Ncjcnfcn.exe 38 PID 2480 wrote to memory of 2348 2480 Ncjcnfcn.exe 38 PID 2480 wrote to memory of 2348 2480 Ncjcnfcn.exe 38 PID 2480 wrote to memory of 2348 2480 Ncjcnfcn.exe 38 PID 2348 wrote to memory of 1872 2348 Nfhpjaba.exe 39 PID 2348 wrote to memory of 1872 2348 Nfhpjaba.exe 39 PID 2348 wrote to memory of 1872 2348 Nfhpjaba.exe 39 PID 2348 wrote to memory of 1872 2348 Nfhpjaba.exe 39 PID 1872 wrote to memory of 2976 1872 Opcaiggo.exe 40 PID 1872 wrote to memory of 2976 1872 Opcaiggo.exe 40 PID 1872 wrote to memory of 2976 1872 Opcaiggo.exe 40 PID 1872 wrote to memory of 2976 1872 Opcaiggo.exe 40 PID 2976 wrote to memory of 996 2976 Oepianef.exe 41 PID 2976 wrote to memory of 996 2976 Oepianef.exe 41 PID 2976 wrote to memory of 996 2976 Oepianef.exe 41 PID 2976 wrote to memory of 996 2976 Oepianef.exe 41 PID 996 wrote to memory of 908 996 Ohqbbi32.exe 42 PID 996 wrote to memory of 908 996 Ohqbbi32.exe 42 PID 996 wrote to memory of 908 996 Ohqbbi32.exe 42 PID 996 wrote to memory of 908 996 Ohqbbi32.exe 42 PID 908 wrote to memory of 2252 908 Obffpa32.exe 43 PID 908 wrote to memory of 2252 908 Obffpa32.exe 43 PID 908 wrote to memory of 2252 908 Obffpa32.exe 43 PID 908 wrote to memory of 2252 908 Obffpa32.exe 43 PID 2252 wrote to memory of 2380 2252 Oakcan32.exe 44 PID 2252 wrote to memory of 2380 2252 Oakcan32.exe 44 PID 2252 wrote to memory of 2380 2252 Oakcan32.exe 44 PID 2252 wrote to memory of 2380 2252 Oakcan32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\046665e8e68626cb96007f5ef5ce4fe0N.exe"C:\Users\Admin\AppData\Local\Temp\046665e8e68626cb96007f5ef5ce4fe0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mbkkepio.exeC:\Windows\system32\Mbkkepio.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Nplkhh32.exeC:\Windows\system32\Nplkhh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe35⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe37⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe39⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe41⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe42⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe43⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe46⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe47⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe49⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe51⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe53⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe56⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe57⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe58⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe59⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe60⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe61⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe62⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe64⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe66⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe67⤵PID:1680
-
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe68⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe69⤵PID:2320
-
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe70⤵PID:2820
-
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe71⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe72⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe73⤵PID:2084
-
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe75⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Deimaa32.exeC:\Windows\system32\Deimaa32.exe76⤵PID:2332
-
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe79⤵PID:1740
-
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe80⤵PID:1028
-
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe82⤵PID:1892
-
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe84⤵PID:1472
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe85⤵PID:1596
-
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe86⤵PID:876
-
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe87⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe89⤵PID:2188
-
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe90⤵PID:1628
-
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe91⤵PID:1632
-
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe92⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe93⤵PID:408
-
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe94⤵PID:2316
-
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe95⤵PID:1792
-
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe96⤵PID:1676
-
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe97⤵PID:2280
-
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe98⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe99⤵PID:1600
-
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe100⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe101⤵PID:1592
-
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe103⤵PID:1308
-
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe105⤵PID:2956
-
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe107⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe108⤵PID:1804
-
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe109⤵PID:2104
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe112⤵PID:1464
-
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe114⤵PID:2848
-
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe115⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe116⤵PID:1304
-
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe117⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe118⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe119⤵PID:1924
-
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe121⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-