Analysis
-
max time kernel
112s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b771ff4c651b6845e9d70fcd33e21900N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b771ff4c651b6845e9d70fcd33e21900N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b771ff4c651b6845e9d70fcd33e21900N.exe
-
Size
96KB
-
MD5
b771ff4c651b6845e9d70fcd33e21900
-
SHA1
224649cf5ed66480efcd685abe9d39af656445c3
-
SHA256
f9132020c88e5ce789b75e523ea42c941e31bf0d9da0e2023757340ac593e5e2
-
SHA512
951379913e536af9713c45c4f0975817c8db1a08acdcf5fc443da6adbc5dc944cb5659f05396ec2744a30db6de9e438f5bbafd040fbd0effe37233f5ad1e09ff
-
SSDEEP
1536:j3AG8KdCh8If9lEQi0EkYY/2L2aIZTJ+7LhkiB0MPiKeEAgH:rAGB4O+rjEKE2aMU7uihJ5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjldiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbeeliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmhpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdibpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhfkqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giafmfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdkap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbmlbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbiokdam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgdcjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emogdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkoocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkphnmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbgkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmicnhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbeeppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpiadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlmnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmndbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgkkdnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhmki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpqoofhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jficbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coejfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opllclcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojijha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkihfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnlobhne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadkmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofnok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gadkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhhjhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnoacdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchocif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqklhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impblnna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkphnmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llojpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkkdnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkgdmbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbbld32.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 Dhaboi32.exe 2972 Domgache.exe 2744 Ddjpjj32.exe 2824 Dcaiqfib.exe 2628 Ejnnbpol.exe 2648 Emogdk32.exe 2652 Emadjj32.exe 1028 Endmgb32.exe 2184 Flhnqf32.exe 2856 Filnjk32.exe 2784 Fjpggb32.exe 1556 Gbpegdik.exe 2344 Gbbbld32.exe 2228 Gmhfjm32.exe 576 Gbglgcbc.exe 2388 Hhhmki32.exe 764 Hpcbol32.exe 1512 Hacoio32.exe 1696 Hddgkj32.exe 2172 Igdqmeke.exe 1636 Iaqnbb32.exe 1384 Idagdm32.exe 484 Injlmcib.exe 344 Jbgdcapi.exe 268 Jnnehb32.exe 1528 Jmcbio32.exe 2704 Jmfoon32.exe 2988 Kcbcah32.exe 2620 Kmjhjndm.exe 2732 Kefmnp32.exe 3064 Knqnmeff.exe 2488 Lafpipoa.exe 2948 Ljnebe32.exe 2376 Ldgikklb.exe 2692 Licbca32.exe 2024 Lejbhbpn.exe 1544 Laacmc32.exe 1712 Mkihfi32.exe 1372 Mhmhpm32.exe 2368 Mafmhcam.exe 2484 Mknaahhn.exe 736 Mhbakmgg.exe 1728 Mmojcceo.exe 1644 Mdibpn32.exe 1540 Miekhd32.exe 3032 Ngikaijm.exe 2232 Nlfdjphd.exe 2040 Ncplfj32.exe 2200 Nliqoofa.exe 2536 Nimaic32.exe 2544 Nknmplji.exe 2808 Nhbnjpic.exe 2872 Najbbepc.exe 2636 Okbgkk32.exe 2104 Oamohenq.exe 2084 Ojhdmgkl.exe 1444 Oaolne32.exe 1388 Onelbfab.exe 440 Ocbekmpi.exe 2568 Onhihepp.exe 1752 Ogpnakfp.exe 2264 Oqibjq32.exe 3012 Pfekbg32.exe 2404 Ponokmah.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 b771ff4c651b6845e9d70fcd33e21900N.exe 1976 b771ff4c651b6845e9d70fcd33e21900N.exe 2336 Dhaboi32.exe 2336 Dhaboi32.exe 2972 Domgache.exe 2972 Domgache.exe 2744 Ddjpjj32.exe 2744 Ddjpjj32.exe 2824 Dcaiqfib.exe 2824 Dcaiqfib.exe 2628 Ejnnbpol.exe 2628 Ejnnbpol.exe 2648 Emogdk32.exe 2648 Emogdk32.exe 2652 Emadjj32.exe 2652 Emadjj32.exe 1028 Endmgb32.exe 1028 Endmgb32.exe 2184 Flhnqf32.exe 2184 Flhnqf32.exe 2856 Filnjk32.exe 2856 Filnjk32.exe 2784 Fjpggb32.exe 2784 Fjpggb32.exe 1556 Gbpegdik.exe 1556 Gbpegdik.exe 2344 Gbbbld32.exe 2344 Gbbbld32.exe 2228 Gmhfjm32.exe 2228 Gmhfjm32.exe 576 Gbglgcbc.exe 576 Gbglgcbc.exe 2388 Hhhmki32.exe 2388 Hhhmki32.exe 764 Hpcbol32.exe 764 Hpcbol32.exe 1512 Hacoio32.exe 1512 Hacoio32.exe 1696 Hddgkj32.exe 1696 Hddgkj32.exe 2172 Igdqmeke.exe 2172 Igdqmeke.exe 1636 Iaqnbb32.exe 1636 Iaqnbb32.exe 1384 Idagdm32.exe 1384 Idagdm32.exe 484 Injlmcib.exe 484 Injlmcib.exe 344 Jbgdcapi.exe 344 Jbgdcapi.exe 268 Jnnehb32.exe 268 Jnnehb32.exe 1528 Jmcbio32.exe 1528 Jmcbio32.exe 2704 Jmfoon32.exe 2704 Jmfoon32.exe 2988 Kcbcah32.exe 2988 Kcbcah32.exe 2620 Kmjhjndm.exe 2620 Kmjhjndm.exe 2732 Kefmnp32.exe 2732 Kefmnp32.exe 3064 Knqnmeff.exe 3064 Knqnmeff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmfoon32.exe Jmcbio32.exe File created C:\Windows\SysWOW64\Chkbjc32.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Pagdkl32.dll Lfpebq32.exe File opened for modification C:\Windows\SysWOW64\Mbiokdam.exe Mcoioi32.exe File opened for modification C:\Windows\SysWOW64\Pdkgcd32.exe Ponokmah.exe File created C:\Windows\SysWOW64\Efoobkej.exe Ekjjebed.exe File created C:\Windows\SysWOW64\Opllclcb.exe Ndekok32.exe File created C:\Windows\SysWOW64\Ihgcof32.exe Inbobn32.exe File created C:\Windows\SysWOW64\Kfklgape.exe Kjdkap32.exe File created C:\Windows\SysWOW64\Chahin32.exe Cbdpag32.exe File created C:\Windows\SysWOW64\Nfajlg32.dll Bmaaha32.exe File created C:\Windows\SysWOW64\Gjingc32.dll Ljnebe32.exe File created C:\Windows\SysWOW64\Ejnhel32.dll Mmojcceo.exe File created C:\Windows\SysWOW64\Fndfmljk.exe Ecnbpcje.exe File created C:\Windows\SysWOW64\Infhmmhi.exe Indkgm32.exe File created C:\Windows\SysWOW64\Hddgkj32.exe Hacoio32.exe File opened for modification C:\Windows\SysWOW64\Mdibpn32.exe Mmojcceo.exe File created C:\Windows\SysWOW64\Aaegha32.exe Abpjgekf.exe File created C:\Windows\SysWOW64\Hhhmki32.exe Gbglgcbc.exe File created C:\Windows\SysWOW64\Kcfgobbh.dll Qcgkeonp.exe File created C:\Windows\SysWOW64\Iabjgoga.dll Apbeeppo.exe File created C:\Windows\SysWOW64\Bkdmogal.dll Cmkkhfmn.exe File opened for modification C:\Windows\SysWOW64\Mcoioi32.exe Mmepboin.exe File created C:\Windows\SysWOW64\Oikhfd32.dll Dgkkdnkb.exe File opened for modification C:\Windows\SysWOW64\Bdiciboh.exe Anlkakqa.exe File created C:\Windows\SysWOW64\Daocjoig.dll Kjdkap32.exe File created C:\Windows\SysWOW64\Bhiiepcl.exe Bmdehgcf.exe File opened for modification C:\Windows\SysWOW64\Cdnicemo.exe Ckeekp32.exe File created C:\Windows\SysWOW64\Hdoklgbo.dll Gbmbgngb.exe File created C:\Windows\SysWOW64\Fbeeliin.exe Fgpqnpjh.exe File created C:\Windows\SysWOW64\Nioqmpcf.dll Pqodho32.exe File opened for modification C:\Windows\SysWOW64\Ajnlqgfo.exe Aaegha32.exe File opened for modification C:\Windows\SysWOW64\Oaolne32.exe Ojhdmgkl.exe File opened for modification C:\Windows\SysWOW64\Eqklhh32.exe Egchocif.exe File created C:\Windows\SysWOW64\Oeakle32.dll Hfjglppd.exe File created C:\Windows\SysWOW64\Oekaab32.exe Olclimif.exe File created C:\Windows\SysWOW64\Jggafj32.dll Oeidlc32.exe File created C:\Windows\SysWOW64\Qjnoacdc.exe Qcdgei32.exe File opened for modification C:\Windows\SysWOW64\Jnnehb32.exe Jbgdcapi.exe File created C:\Windows\SysWOW64\Hdegpplg.dll Bgablmfa.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Eogckqkk.exe File created C:\Windows\SysWOW64\Haiagm32.exe Hhqmogam.exe File created C:\Windows\SysWOW64\Ekkppkpf.exe Epflbbpp.exe File created C:\Windows\SysWOW64\Mhjnniic.dll Mlacdj32.exe File opened for modification C:\Windows\SysWOW64\Bbbckh32.exe Blhkon32.exe File created C:\Windows\SysWOW64\Amnqghdd.dll Jnnehb32.exe File opened for modification C:\Windows\SysWOW64\Egchocif.exe Eogckqkk.exe File created C:\Windows\SysWOW64\Gaghcjhd.exe Gnhlgoia.exe File opened for modification C:\Windows\SysWOW64\Infhmmhi.exe Indkgm32.exe File created C:\Windows\SysWOW64\Jlckoh32.exe Jficbn32.exe File created C:\Windows\SysWOW64\Leiabnbn.dll Llojpghe.exe File created C:\Windows\SysWOW64\Pemdic32.exe Pdkgcd32.exe File created C:\Windows\SysWOW64\Gbpegdik.exe Fjpggb32.exe File created C:\Windows\SysWOW64\Qjofljho.exe Pjlifjjb.exe File opened for modification C:\Windows\SysWOW64\Ecnbpcje.exe Emdjbi32.exe File created C:\Windows\SysWOW64\Oepjmbka.exe Olhfdl32.exe File created C:\Windows\SysWOW64\Kmggfmjg.dll Coejfn32.exe File opened for modification C:\Windows\SysWOW64\Fnoiqpqk.exe Fibqhibd.exe File opened for modification C:\Windows\SysWOW64\Hhqmogam.exe Hohhfbkl.exe File opened for modification C:\Windows\SysWOW64\Indkgm32.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Jjbbmmih.exe Jhbfcj32.exe File created C:\Windows\SysWOW64\Mnokki32.dll Hfhjfp32.exe File opened for modification C:\Windows\SysWOW64\Qbidffao.exe Qjnoacdc.exe File opened for modification C:\Windows\SysWOW64\Gbbbld32.exe Gbpegdik.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3116 4092 WerFault.exe 291 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknaahhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbakmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqibjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaiaolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpflenm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dechlfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgpqjqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emogdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlifjjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbibla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqmobelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaiqfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkinb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emadjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmaoed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnkkjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdohme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b771ff4c651b6845e9d70fcd33e21900N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnlobhne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbanfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jficbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbdif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbmmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkladpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqnmeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogckqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcmkamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkkdnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impblnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjmbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbidffao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopfpkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaolne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhojjjhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpqnpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfoon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgcof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgdmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclejclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caligc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} b771ff4c651b6845e9d70fcd33e21900N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnkemgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponokmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkkek32.dll" Pemdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojijha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqibjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfnebhe.dll" Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeolkhp.dll" Epflbbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbdif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmgid32.dll" Nipgab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpdhiaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlqmjc32.dll" Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcjhkpn.dll" Paihgboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjpipkgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdqmeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbkjc32.dll" Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebljh32.dll" Fcqoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjeedio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbhk32.dll" Bbbckh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dechlfkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emogdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomcgf32.dll" Flhnqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbbmmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebmaoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkgjqib.dll" Ejnnbpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baannfim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlahl32.dll" Pfnjfepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbkmki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b771ff4c651b6845e9d70fcd33e21900N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Licbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikmdack.dll" Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehbdif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnleo32.dll" Hepdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koogdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjgpqjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbcoi32.dll" Bbkmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elmmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljdcqek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endmgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmfoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icemeqoi.dll" Pfekbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplcgkk.dll" Ajnlqgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmnbiph.dll" Ecfednma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgibpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaipg32.dll" Eclejclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkeabg32.dll" Amalcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcoioi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnjfepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnppohp.dll" Cbdpag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2336 1976 b771ff4c651b6845e9d70fcd33e21900N.exe 29 PID 1976 wrote to memory of 2336 1976 b771ff4c651b6845e9d70fcd33e21900N.exe 29 PID 1976 wrote to memory of 2336 1976 b771ff4c651b6845e9d70fcd33e21900N.exe 29 PID 1976 wrote to memory of 2336 1976 b771ff4c651b6845e9d70fcd33e21900N.exe 29 PID 2336 wrote to memory of 2972 2336 Dhaboi32.exe 30 PID 2336 wrote to memory of 2972 2336 Dhaboi32.exe 30 PID 2336 wrote to memory of 2972 2336 Dhaboi32.exe 30 PID 2336 wrote to memory of 2972 2336 Dhaboi32.exe 30 PID 2972 wrote to memory of 2744 2972 Domgache.exe 31 PID 2972 wrote to memory of 2744 2972 Domgache.exe 31 PID 2972 wrote to memory of 2744 2972 Domgache.exe 31 PID 2972 wrote to memory of 2744 2972 Domgache.exe 31 PID 2744 wrote to memory of 2824 2744 Ddjpjj32.exe 32 PID 2744 wrote to memory of 2824 2744 Ddjpjj32.exe 32 PID 2744 wrote to memory of 2824 2744 Ddjpjj32.exe 32 PID 2744 wrote to memory of 2824 2744 Ddjpjj32.exe 32 PID 2824 wrote to memory of 2628 2824 Dcaiqfib.exe 33 PID 2824 wrote to memory of 2628 2824 Dcaiqfib.exe 33 PID 2824 wrote to memory of 2628 2824 Dcaiqfib.exe 33 PID 2824 wrote to memory of 2628 2824 Dcaiqfib.exe 33 PID 2628 wrote to memory of 2648 2628 Ejnnbpol.exe 34 PID 2628 wrote to memory of 2648 2628 Ejnnbpol.exe 34 PID 2628 wrote to memory of 2648 2628 Ejnnbpol.exe 34 PID 2628 wrote to memory of 2648 2628 Ejnnbpol.exe 34 PID 2648 wrote to memory of 2652 2648 Emogdk32.exe 35 PID 2648 wrote to memory of 2652 2648 Emogdk32.exe 35 PID 2648 wrote to memory of 2652 2648 Emogdk32.exe 35 PID 2648 wrote to memory of 2652 2648 Emogdk32.exe 35 PID 2652 wrote to memory of 1028 2652 Emadjj32.exe 36 PID 2652 wrote to memory of 1028 2652 Emadjj32.exe 36 PID 2652 wrote to memory of 1028 2652 Emadjj32.exe 36 PID 2652 wrote to memory of 1028 2652 Emadjj32.exe 36 PID 1028 wrote to memory of 2184 1028 Endmgb32.exe 37 PID 1028 wrote to memory of 2184 1028 Endmgb32.exe 37 PID 1028 wrote to memory of 2184 1028 Endmgb32.exe 37 PID 1028 wrote to memory of 2184 1028 Endmgb32.exe 37 PID 2184 wrote to memory of 2856 2184 Flhnqf32.exe 38 PID 2184 wrote to memory of 2856 2184 Flhnqf32.exe 38 PID 2184 wrote to memory of 2856 2184 Flhnqf32.exe 38 PID 2184 wrote to memory of 2856 2184 Flhnqf32.exe 38 PID 2856 wrote to memory of 2784 2856 Filnjk32.exe 39 PID 2856 wrote to memory of 2784 2856 Filnjk32.exe 39 PID 2856 wrote to memory of 2784 2856 Filnjk32.exe 39 PID 2856 wrote to memory of 2784 2856 Filnjk32.exe 39 PID 2784 wrote to memory of 1556 2784 Fjpggb32.exe 40 PID 2784 wrote to memory of 1556 2784 Fjpggb32.exe 40 PID 2784 wrote to memory of 1556 2784 Fjpggb32.exe 40 PID 2784 wrote to memory of 1556 2784 Fjpggb32.exe 40 PID 1556 wrote to memory of 2344 1556 Gbpegdik.exe 41 PID 1556 wrote to memory of 2344 1556 Gbpegdik.exe 41 PID 1556 wrote to memory of 2344 1556 Gbpegdik.exe 41 PID 1556 wrote to memory of 2344 1556 Gbpegdik.exe 41 PID 2344 wrote to memory of 2228 2344 Gbbbld32.exe 42 PID 2344 wrote to memory of 2228 2344 Gbbbld32.exe 42 PID 2344 wrote to memory of 2228 2344 Gbbbld32.exe 42 PID 2344 wrote to memory of 2228 2344 Gbbbld32.exe 42 PID 2228 wrote to memory of 576 2228 Gmhfjm32.exe 43 PID 2228 wrote to memory of 576 2228 Gmhfjm32.exe 43 PID 2228 wrote to memory of 576 2228 Gmhfjm32.exe 43 PID 2228 wrote to memory of 576 2228 Gmhfjm32.exe 43 PID 576 wrote to memory of 2388 576 Gbglgcbc.exe 44 PID 576 wrote to memory of 2388 576 Gbglgcbc.exe 44 PID 576 wrote to memory of 2388 576 Gbglgcbc.exe 44 PID 576 wrote to memory of 2388 576 Gbglgcbc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b771ff4c651b6845e9d70fcd33e21900N.exe"C:\Users\Admin\AppData\Local\Temp\b771ff4c651b6845e9d70fcd33e21900N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dhaboi32.exeC:\Windows\system32\Dhaboi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Flhnqf32.exeC:\Windows\system32\Flhnqf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Hacoio32.exeC:\Windows\system32\Hacoio32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Jnnehb32.exeC:\Windows\system32\Jnnehb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe33⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe35⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe38⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe41⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe46⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe48⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe51⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe52⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe53⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe56⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe59⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe60⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe61⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe62⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe66⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe67⤵
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe68⤵PID:956
-
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe70⤵PID:2396
-
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe74⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe75⤵PID:2816
-
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe77⤵PID:2576
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe78⤵PID:2924
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe79⤵PID:2864
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe80⤵PID:2492
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe81⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe82⤵PID:2240
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe83⤵PID:2252
-
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe84⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe86⤵PID:1360
-
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe87⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe88⤵PID:3028
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Bgablmfa.exeC:\Windows\system32\Bgablmfa.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe91⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Cgcoal32.exeC:\Windows\system32\Cgcoal32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe93⤵PID:1660
-
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe94⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Cdnicemo.exeC:\Windows\system32\Cdnicemo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe97⤵PID:2836
-
C:\Windows\SysWOW64\Coejfn32.exeC:\Windows\system32\Coejfn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe99⤵PID:2276
-
C:\Windows\SysWOW64\Dlbanfbo.exeC:\Windows\system32\Dlbanfbo.exe100⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe101⤵PID:752
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe102⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe103⤵PID:2284
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Egchocif.exeC:\Windows\system32\Egchocif.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Eqklhh32.exeC:\Windows\system32\Eqklhh32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Ehbdif32.exeC:\Windows\system32\Ehbdif32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe108⤵PID:2092
-
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ekcmkamj.exeC:\Windows\system32\Ekcmkamj.exe110⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Fndfmljk.exeC:\Windows\system32\Fndfmljk.exe113⤵PID:1952
-
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Fmicnhob.exeC:\Windows\system32\Fmicnhob.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Fbflfomj.exeC:\Windows\system32\Fbflfomj.exe116⤵PID:1032
-
C:\Windows\SysWOW64\Flnpoe32.exeC:\Windows\system32\Flnpoe32.exe117⤵PID:884
-
C:\Windows\SysWOW64\Fbhhlo32.exeC:\Windows\system32\Fbhhlo32.exe118⤵PID:900
-
C:\Windows\SysWOW64\Fibqhibd.exeC:\Windows\system32\Fibqhibd.exe119⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Fnoiqpqk.exeC:\Windows\system32\Fnoiqpqk.exe120⤵PID:2804
-
C:\Windows\SysWOW64\Fpnekc32.exeC:\Windows\system32\Fpnekc32.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-