Analysis
-
max time kernel
53s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 17:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc644d185c356a3466c9cca257b2ac00N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
fc644d185c356a3466c9cca257b2ac00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
fc644d185c356a3466c9cca257b2ac00N.exe
-
Size
59KB
-
MD5
fc644d185c356a3466c9cca257b2ac00
-
SHA1
3dc75c51ae02e47064adfbb123a2cbc7db39f310
-
SHA256
73979a2b6bbbee5ea1c383a7807e57f14dca650a038616685c3dccfea01b6151
-
SHA512
1fb5306011c1fe04e90c7cfaee4ac6406b99371f664465f84437bbfa3bb646a1f6090bd0c6655acdb1bf6fe3d6f12468b1ac59ef980d71f2c81f76ce72494fb1
-
SSDEEP
1536:Oz8Pf4O5XliDlCg2m8Eos4kIM/cAEosQU48gkIMw0YcAEosQU48gkIMw0YcAEosn:JXwDli5Eos4kIM/cAEosQU48gkIMw0YU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foojop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Macilmnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffefjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonocmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikbhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbopmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deollamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmcoblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdofm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdonhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmgelil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enlidg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbniid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpopnejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpgjepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnihdemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlgmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjdopeh.exe -
Executes dropped EXE 64 IoCs
pid Process 1788 Pkacpihj.exe 2172 Pakllc32.exe 1572 Pggdejno.exe 2076 Pnalad32.exe 2964 Pdldnomh.exe 2696 Qgjqjjll.exe 2724 Qmgibqjc.exe 760 Qoeeolig.exe 2532 Qfonkfqd.exe 2564 Qinjgbpg.exe 1856 Qqdbiopj.exe 1636 Accnekon.exe 2460 Afajafoa.exe 2012 Amkbnp32.exe 1624 Aojojl32.exe 2556 Abhkfg32.exe 2760 Aibcba32.exe 2220 Aollokco.exe 2340 Abkhkgbb.exe 836 Aeidgbaf.exe 2452 Aidphq32.exe 2776 Aoohekal.exe 1540 Aapemc32.exe 904 Akeijlfq.exe 772 Ancefgfd.exe 792 Aababceh.exe 2268 Bnfblgca.exe 2412 Bjmbqhif.exe 2900 Bpjkiogm.exe 2668 Bjoofhgc.exe 2636 Baigca32.exe 2192 Bbjdjjdn.exe 2844 Bjallg32.exe 2680 Bmphhc32.exe 2272 Bcjqdmla.exe 2928 Bfhmqhkd.exe 300 Bigimdjh.exe 464 Bmbemb32.exe 1964 Bncaekhp.exe 1944 Cemjae32.exe 2312 Chlfnp32.exe 1828 Clgbno32.exe 2476 Cbajkiof.exe 2924 Cikbhc32.exe 1140 Cljodo32.exe 440 Cohkpj32.exe 856 Cafgle32.exe 952 Cdecha32.exe 616 Cojhejbh.exe 2264 Caidaeak.exe 1704 Ckahkk32.exe 2144 Comdkipe.exe 2164 Cakqgeoi.exe 2908 Cheido32.exe 2136 Danmmd32.exe 2700 Ddliip32.exe 2756 Dbojdmcd.exe 2544 Dgjfek32.exe 2240 Diibag32.exe 1924 Dmdnbecj.exe 1916 Dpcjnabn.exe 1632 Dbafjlaa.exe 2816 Dgmbkk32.exe 2008 Depbfhpe.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 fc644d185c356a3466c9cca257b2ac00N.exe 2152 fc644d185c356a3466c9cca257b2ac00N.exe 1788 Pkacpihj.exe 1788 Pkacpihj.exe 2172 Pakllc32.exe 2172 Pakllc32.exe 1572 Pggdejno.exe 1572 Pggdejno.exe 2076 Pnalad32.exe 2076 Pnalad32.exe 2964 Pdldnomh.exe 2964 Pdldnomh.exe 2696 Qgjqjjll.exe 2696 Qgjqjjll.exe 2724 Qmgibqjc.exe 2724 Qmgibqjc.exe 760 Qoeeolig.exe 760 Qoeeolig.exe 2532 Qfonkfqd.exe 2532 Qfonkfqd.exe 2564 Qinjgbpg.exe 2564 Qinjgbpg.exe 1856 Qqdbiopj.exe 1856 Qqdbiopj.exe 1636 Accnekon.exe 1636 Accnekon.exe 2460 Afajafoa.exe 2460 Afajafoa.exe 2012 Amkbnp32.exe 2012 Amkbnp32.exe 1624 Aojojl32.exe 1624 Aojojl32.exe 2556 Abhkfg32.exe 2556 Abhkfg32.exe 2760 Aibcba32.exe 2760 Aibcba32.exe 2220 Aollokco.exe 2220 Aollokco.exe 2340 Abkhkgbb.exe 2340 Abkhkgbb.exe 836 Aeidgbaf.exe 836 Aeidgbaf.exe 2452 Aidphq32.exe 2452 Aidphq32.exe 2776 Aoohekal.exe 2776 Aoohekal.exe 1540 Aapemc32.exe 1540 Aapemc32.exe 904 Akeijlfq.exe 904 Akeijlfq.exe 772 Ancefgfd.exe 772 Ancefgfd.exe 1584 Agljom32.exe 1584 Agljom32.exe 2268 Bnfblgca.exe 2268 Bnfblgca.exe 2412 Bjmbqhif.exe 2412 Bjmbqhif.exe 2900 Bpjkiogm.exe 2900 Bpjkiogm.exe 2668 Bjoofhgc.exe 2668 Bjoofhgc.exe 2636 Baigca32.exe 2636 Baigca32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gkephn32.exe Ggicgopd.exe File created C:\Windows\SysWOW64\Pplaki32.exe Paiaplin.exe File created C:\Windows\SysWOW64\Fenjme32.dll Omqlpp32.exe File created C:\Windows\SysWOW64\Omlflo32.dll Dphmloih.exe File created C:\Windows\SysWOW64\Gfebgn32.dll Eelkeeah.exe File created C:\Windows\SysWOW64\Mkaohl32.dll Gmpcgace.exe File created C:\Windows\SysWOW64\Fgcejm32.exe Fchijone.exe File opened for modification C:\Windows\SysWOW64\Jpgjgboe.exe Jlkngc32.exe File opened for modification C:\Windows\SysWOW64\Qdncmgbj.exe Qpbglhjq.exe File created C:\Windows\SysWOW64\Mfokinhf.exe Mcqombic.exe File opened for modification C:\Windows\SysWOW64\Afffenbp.exe Achjibcl.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Cojhejbh.exe Cdecha32.exe File created C:\Windows\SysWOW64\Ailhedbj.dll Iibfajdc.exe File created C:\Windows\SysWOW64\Klhemhpk.exe Kjihalag.exe File opened for modification C:\Windows\SysWOW64\Pdonhj32.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Hgokokhf.dll Pdldnomh.exe File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Bnldjekl.exe File created C:\Windows\SysWOW64\Phnpagdp.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Aapemc32.exe Aoohekal.exe File opened for modification C:\Windows\SysWOW64\Nmcmgm32.exe Njdqka32.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Fdkklp32.exe File created C:\Windows\SysWOW64\Qgejemnf.dll Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Loqmba32.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Eniclh32.exe Ekjgpm32.exe File created C:\Windows\SysWOW64\Odjdmjgo.exe Oehdan32.exe File created C:\Windows\SysWOW64\Pljcllqe.exe Pilfpqaa.exe File opened for modification C:\Windows\SysWOW64\Aijbfo32.exe Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Injndk32.exe Illbhp32.exe File opened for modification C:\Windows\SysWOW64\Ckahkk32.exe Caidaeak.exe File created C:\Windows\SysWOW64\Kgaebl32.dll Kjglkm32.exe File opened for modification C:\Windows\SysWOW64\Ndhlhg32.exe Nnkcpq32.exe File created C:\Windows\SysWOW64\Djgkii32.exe Dldkmlhl.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Fbbnekdd.dll Qndkpmkm.exe File created C:\Windows\SysWOW64\Dohgomgf.exe Dljkcb32.exe File created C:\Windows\SysWOW64\Ibanaibn.dll Gmbfggdo.exe File opened for modification C:\Windows\SysWOW64\Jhlmmfef.exe Jenpajfb.exe File opened for modification C:\Windows\SysWOW64\Dmmmfc32.exe Dknajh32.exe File created C:\Windows\SysWOW64\Ffhnoj32.dll Fofpoo32.exe File created C:\Windows\SysWOW64\Qfljkp32.exe Qnebjc32.exe File opened for modification C:\Windows\SysWOW64\Lfkeokjp.exe Lboiol32.exe File created C:\Windows\SysWOW64\Ohfqmi32.exe Odjdmjgo.exe File created C:\Windows\SysWOW64\Bflbigdb.exe Bgibnj32.exe File created C:\Windows\SysWOW64\Jajcdjca.exe Jolghndm.exe File created C:\Windows\SysWOW64\Pfebhg32.dll Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Cljodo32.exe Cikbhc32.exe File created C:\Windows\SysWOW64\Hapklimq.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Knbhlkkc.exe Kjglkm32.exe File opened for modification C:\Windows\SysWOW64\Mmadbjkk.exe Miehak32.exe File opened for modification C:\Windows\SysWOW64\Neknki32.exe Nbmaon32.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Dlfgcl32.exe Ddpobo32.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Fchook32.dll Bkegah32.exe File opened for modification C:\Windows\SysWOW64\Dgbdoe32.dll Fhgnge32.exe File created C:\Windows\SysWOW64\Lcomce32.exe Ldllgiek.exe File created C:\Windows\SysWOW64\Lgoboc32.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Jdodbpja.dll Mgjebg32.exe File created C:\Windows\SysWOW64\Egflhe32.dll Oeehln32.exe File opened for modification C:\Windows\SysWOW64\Beackp32.exe Bfncpcoc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9192 9164 WerFault.exe 911 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbdea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qinjgbpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnjjbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akeijlfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieigfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihalag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldoimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmpibam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiglhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfokinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfebnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgalkcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpgjepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ednbncmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkacpihj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeidgbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfmllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjona32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplheofl.dll" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjdjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahll32.dll" Gpcoib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemncekq.dll" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logeahbo.dll" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cljodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcdgejhm.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkpkade.dll" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imglhaji.dll" Jodhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljnnl32.dll" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmffciep.dll" Bflbigdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihdl32.dll" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmifk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiil32.dll" Kdefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkqmpip.dll" Iefcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnoijbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jampjian.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agngji32.dll" Klhemhpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgkocj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhnoj32.dll" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilpge32.dll" Phfmllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmicfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poedbd32.dll" Dhbhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlkfoig.dll" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmanal32.dll" Diibag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdmji32.dll" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Qgjccb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 1788 2152 fc644d185c356a3466c9cca257b2ac00N.exe 28 PID 2152 wrote to memory of 1788 2152 fc644d185c356a3466c9cca257b2ac00N.exe 28 PID 2152 wrote to memory of 1788 2152 fc644d185c356a3466c9cca257b2ac00N.exe 28 PID 2152 wrote to memory of 1788 2152 fc644d185c356a3466c9cca257b2ac00N.exe 28 PID 1788 wrote to memory of 2172 1788 Pkacpihj.exe 29 PID 1788 wrote to memory of 2172 1788 Pkacpihj.exe 29 PID 1788 wrote to memory of 2172 1788 Pkacpihj.exe 29 PID 1788 wrote to memory of 2172 1788 Pkacpihj.exe 29 PID 2172 wrote to memory of 1572 2172 Pakllc32.exe 30 PID 2172 wrote to memory of 1572 2172 Pakllc32.exe 30 PID 2172 wrote to memory of 1572 2172 Pakllc32.exe 30 PID 2172 wrote to memory of 1572 2172 Pakllc32.exe 30 PID 1572 wrote to memory of 2076 1572 Pggdejno.exe 31 PID 1572 wrote to memory of 2076 1572 Pggdejno.exe 31 PID 1572 wrote to memory of 2076 1572 Pggdejno.exe 31 PID 1572 wrote to memory of 2076 1572 Pggdejno.exe 31 PID 2076 wrote to memory of 2964 2076 Pnalad32.exe 32 PID 2076 wrote to memory of 2964 2076 Pnalad32.exe 32 PID 2076 wrote to memory of 2964 2076 Pnalad32.exe 32 PID 2076 wrote to memory of 2964 2076 Pnalad32.exe 32 PID 2964 wrote to memory of 2696 2964 Pdldnomh.exe 33 PID 2964 wrote to memory of 2696 2964 Pdldnomh.exe 33 PID 2964 wrote to memory of 2696 2964 Pdldnomh.exe 33 PID 2964 wrote to memory of 2696 2964 Pdldnomh.exe 33 PID 2696 wrote to memory of 2724 2696 Qgjqjjll.exe 34 PID 2696 wrote to memory of 2724 2696 Qgjqjjll.exe 34 PID 2696 wrote to memory of 2724 2696 Qgjqjjll.exe 34 PID 2696 wrote to memory of 2724 2696 Qgjqjjll.exe 34 PID 2724 wrote to memory of 760 2724 Qmgibqjc.exe 35 PID 2724 wrote to memory of 760 2724 Qmgibqjc.exe 35 PID 2724 wrote to memory of 760 2724 Qmgibqjc.exe 35 PID 2724 wrote to memory of 760 2724 Qmgibqjc.exe 35 PID 760 wrote to memory of 2532 760 Qoeeolig.exe 36 PID 760 wrote to memory of 2532 760 Qoeeolig.exe 36 PID 760 wrote to memory of 2532 760 Qoeeolig.exe 36 PID 760 wrote to memory of 2532 760 Qoeeolig.exe 36 PID 2532 wrote to memory of 2564 2532 Qfonkfqd.exe 37 PID 2532 wrote to memory of 2564 2532 Qfonkfqd.exe 37 PID 2532 wrote to memory of 2564 2532 Qfonkfqd.exe 37 PID 2532 wrote to memory of 2564 2532 Qfonkfqd.exe 37 PID 2564 wrote to memory of 1856 2564 Qinjgbpg.exe 38 PID 2564 wrote to memory of 1856 2564 Qinjgbpg.exe 38 PID 2564 wrote to memory of 1856 2564 Qinjgbpg.exe 38 PID 2564 wrote to memory of 1856 2564 Qinjgbpg.exe 38 PID 1856 wrote to memory of 1636 1856 Qqdbiopj.exe 39 PID 1856 wrote to memory of 1636 1856 Qqdbiopj.exe 39 PID 1856 wrote to memory of 1636 1856 Qqdbiopj.exe 39 PID 1856 wrote to memory of 1636 1856 Qqdbiopj.exe 39 PID 1636 wrote to memory of 2460 1636 Accnekon.exe 40 PID 1636 wrote to memory of 2460 1636 Accnekon.exe 40 PID 1636 wrote to memory of 2460 1636 Accnekon.exe 40 PID 1636 wrote to memory of 2460 1636 Accnekon.exe 40 PID 2460 wrote to memory of 2012 2460 Afajafoa.exe 41 PID 2460 wrote to memory of 2012 2460 Afajafoa.exe 41 PID 2460 wrote to memory of 2012 2460 Afajafoa.exe 41 PID 2460 wrote to memory of 2012 2460 Afajafoa.exe 41 PID 2012 wrote to memory of 1624 2012 Amkbnp32.exe 42 PID 2012 wrote to memory of 1624 2012 Amkbnp32.exe 42 PID 2012 wrote to memory of 1624 2012 Amkbnp32.exe 42 PID 2012 wrote to memory of 1624 2012 Amkbnp32.exe 42 PID 1624 wrote to memory of 2556 1624 Aojojl32.exe 43 PID 1624 wrote to memory of 2556 1624 Aojojl32.exe 43 PID 1624 wrote to memory of 2556 1624 Aojojl32.exe 43 PID 1624 wrote to memory of 2556 1624 Aojojl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc644d185c356a3466c9cca257b2ac00N.exe"C:\Users\Admin\AppData\Local\Temp\fc644d185c356a3466c9cca257b2ac00N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe28⤵
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe35⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe36⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe37⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe39⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe40⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe42⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe43⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe44⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe45⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe48⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe49⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe51⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe53⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe54⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe55⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe56⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe59⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe60⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe62⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe63⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe64⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe66⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe67⤵PID:2584
-
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe68⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe69⤵PID:1336
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe70⤵PID:1272
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe71⤵PID:932
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe72⤵PID:2184
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe73⤵PID:1580
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe74⤵PID:1808
-
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe75⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe77⤵PID:2612
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe78⤵PID:2744
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe79⤵PID:2936
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe80⤵PID:2028
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe81⤵PID:1092
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe82⤵PID:2304
-
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe83⤵PID:744
-
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe84⤵PID:2780
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe85⤵PID:2820
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe87⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe88⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe89⤵PID:1592
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe90⤵PID:2968
-
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe91⤵PID:1464
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe93⤵PID:2916
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe94⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe96⤵PID:1752
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe97⤵PID:1816
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe98⤵PID:2804
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe99⤵PID:2764
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe100⤵PID:600
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe101⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe102⤵PID:1376
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe104⤵PID:2408
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe105⤵PID:2732
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe107⤵PID:2492
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe108⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe109⤵PID:1508
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe110⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe111⤵PID:1048
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe114⤵PID:808
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe115⤵PID:2168
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe116⤵PID:1116
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe117⤵PID:2892
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe118⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe119⤵PID:2748
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe120⤵PID:2540
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-