Analysis
-
max time kernel
40s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d0a96a7c49ee0a4908c4eca17d70360N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4d0a96a7c49ee0a4908c4eca17d70360N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4d0a96a7c49ee0a4908c4eca17d70360N.exe
-
Size
96KB
-
MD5
4d0a96a7c49ee0a4908c4eca17d70360
-
SHA1
1f51d5c21d3b81350d0642458899973c991c86da
-
SHA256
fe6e11e7ee5a26278bcb4bcd69eefa8d70c52226cbf18fd0747b33d0cc4b0af8
-
SHA512
16610f1e187e324028d5d891068ef6b2501d57a27681c722c2dfe521e4416cacf82f1aa296d9be8bcc6ec28b1d660490e1ab1020dd7008833b50d143f614d3ce
-
SSDEEP
1536:4rBLfISkQOwD8yX9+4VmVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVsWzRADTi4Z:4rBLfInQXD8y04IVqZ2fQkbn1vVAva61
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjcqpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdiciboh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclmlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpehje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknmplji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeajcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehphdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipdci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdigocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejbhbpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjjofe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pemdic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmffhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpemkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idncdgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jookedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbekmpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffahgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiedc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpjjaiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqoofhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnlobhne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjehlldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhfkqdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmppcpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpiqel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifcdbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abejlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbonh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclejclg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbbcjic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihefjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaagnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najbbepc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlleni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakjlpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhlmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgaikb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onelbfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmoone32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpfoa32.exe -
Executes dropped EXE 64 IoCs
pid Process 780 Kkpekjie.exe 2264 Kbjmhd32.exe 2760 Kicednho.exe 268 Kaojiqej.exe 2904 Kldofi32.exe 2564 Kaagnp32.exe 2616 Kfnpgg32.exe 2816 Lmhhcaik.exe 1572 Ljlhme32.exe 2104 Lmjdia32.exe 2652 Lpiqel32.exe 548 Liaenblm.exe 376 Lfeegfkf.exe 1984 Licbca32.exe 2356 Lpmjplag.exe 2448 Lejbhbpn.exe 1792 Lobgah32.exe 1640 Mihkoa32.exe 1552 Mlfgkleh.exe 744 Macpcccp.exe 2096 Mlidplcf.exe 2288 Mogqlgbi.exe 2976 Mafmhcam.exe 1500 Mgbeqjpd.exe 2324 Mojmbg32.exe 2772 Mpkjjofe.exe 2716 Mhbakmgg.exe 2820 Micnbe32.exe 2732 Mggoli32.exe 1932 Mkcjlhdh.exe 2408 Nppceo32.exe 1236 Ngikaijm.exe 1140 Nelkme32.exe 2860 Nlfdjphd.exe 2864 Noepfkgh.exe 1656 Nglhghgj.exe 544 Nijdcdgn.exe 2156 Nhmdoq32.exe 2044 Npdlpnnj.exe 572 Naeigf32.exe 2284 Nimaic32.exe 672 Nhpadpke.exe 1940 Nknmplji.exe 1732 Noiiaj32.exe 1216 Nahemf32.exe 1768 Necandjo.exe 2068 Nhbnjpic.exe 2696 Nkpjfkhf.exe 2680 Nolffjap.exe 2596 Najbbepc.exe 3024 Ndhooaog.exe 3064 Ohdkop32.exe 1804 Okbgkk32.exe 2468 Onacgf32.exe 2852 Opoocb32.exe 3040 Ohfgeo32.exe 1864 Okecak32.exe 448 Oncpmf32.exe 2148 Oqaliabh.exe 2192 Ocphembl.exe 2892 Okgpfjbo.exe 2932 Onelbfab.exe 312 Oqdioaqf.exe 1992 Ocbekmpi.exe -
Loads dropped DLL 64 IoCs
pid Process 2840 4d0a96a7c49ee0a4908c4eca17d70360N.exe 2840 4d0a96a7c49ee0a4908c4eca17d70360N.exe 780 Kkpekjie.exe 780 Kkpekjie.exe 2264 Kbjmhd32.exe 2264 Kbjmhd32.exe 2760 Kicednho.exe 2760 Kicednho.exe 268 Kaojiqej.exe 268 Kaojiqej.exe 2904 Kldofi32.exe 2904 Kldofi32.exe 2564 Kaagnp32.exe 2564 Kaagnp32.exe 2616 Kfnpgg32.exe 2616 Kfnpgg32.exe 2816 Lmhhcaik.exe 2816 Lmhhcaik.exe 1572 Ljlhme32.exe 1572 Ljlhme32.exe 2104 Lmjdia32.exe 2104 Lmjdia32.exe 2652 Lpiqel32.exe 2652 Lpiqel32.exe 548 Liaenblm.exe 548 Liaenblm.exe 376 Lfeegfkf.exe 376 Lfeegfkf.exe 1984 Licbca32.exe 1984 Licbca32.exe 2356 Lpmjplag.exe 2356 Lpmjplag.exe 2448 Lejbhbpn.exe 2448 Lejbhbpn.exe 1792 Lobgah32.exe 1792 Lobgah32.exe 1640 Mihkoa32.exe 1640 Mihkoa32.exe 1552 Mlfgkleh.exe 1552 Mlfgkleh.exe 744 Macpcccp.exe 744 Macpcccp.exe 2096 Mlidplcf.exe 2096 Mlidplcf.exe 2288 Mogqlgbi.exe 2288 Mogqlgbi.exe 2976 Mafmhcam.exe 2976 Mafmhcam.exe 1500 Mgbeqjpd.exe 1500 Mgbeqjpd.exe 2324 Mojmbg32.exe 2324 Mojmbg32.exe 2772 Mpkjjofe.exe 2772 Mpkjjofe.exe 2716 Mhbakmgg.exe 2716 Mhbakmgg.exe 2820 Micnbe32.exe 2820 Micnbe32.exe 2732 Mggoli32.exe 2732 Mggoli32.exe 1932 Mkcjlhdh.exe 1932 Mkcjlhdh.exe 2408 Nppceo32.exe 2408 Nppceo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlfgkleh.exe Mihkoa32.exe File created C:\Windows\SysWOW64\Ejfnfn32.exe Ekcmkamj.exe File created C:\Windows\SysWOW64\Gmipmlan.exe Gnfoao32.exe File created C:\Windows\SysWOW64\Pkeppngm.exe Pifcdbhi.exe File created C:\Windows\SysWOW64\Bdbfpafn.exe Blkoocfl.exe File opened for modification C:\Windows\SysWOW64\Iccqedfa.exe Idqpjg32.exe File created C:\Windows\SysWOW64\Jdlomqkj.dll Mgbeqjpd.exe File created C:\Windows\SysWOW64\Icemeqoi.dll Pmpcoabe.exe File created C:\Windows\SysWOW64\Pobhfl32.exe Piipibff.exe File created C:\Windows\SysWOW64\Bbhgbj32.exe Ajqoqm32.exe File created C:\Windows\SysWOW64\Clphjc32.exe Cialng32.exe File opened for modification C:\Windows\SysWOW64\Dppiddie.exe Dhiacg32.exe File opened for modification C:\Windows\SysWOW64\Dbaflm32.exe Dcofqphi.exe File opened for modification C:\Windows\SysWOW64\Kkpekjie.exe 4d0a96a7c49ee0a4908c4eca17d70360N.exe File created C:\Windows\SysWOW64\Pcllam32.dll Mafmhcam.exe File created C:\Windows\SysWOW64\Dlomfh32.dll Hpckee32.exe File opened for modification C:\Windows\SysWOW64\Gbmbgngb.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Ihcidgpj.exe Iedmhlqf.exe File opened for modification C:\Windows\SysWOW64\Ikhlaaif.exe Igmppcpm.exe File opened for modification C:\Windows\SysWOW64\Jojaje32.exe Jpgaohej.exe File created C:\Windows\SysWOW64\Gnfoao32.exe Gjjcqpbj.exe File opened for modification C:\Windows\SysWOW64\Jgaikb32.exe Jojaje32.exe File opened for modification C:\Windows\SysWOW64\Aikine32.exe Aflmbj32.exe File opened for modification C:\Windows\SysWOW64\Bmhncg32.exe Bkjbgk32.exe File created C:\Windows\SysWOW64\Dmkhid32.dll Cgcoal32.exe File created C:\Windows\SysWOW64\Nkfpmm32.dll Fpecddpi.exe File created C:\Windows\SysWOW64\Ngfepoaa.dll Pemdic32.exe File created C:\Windows\SysWOW64\Bfoffmhd.exe Bdpjjaiq.exe File created C:\Windows\SysWOW64\Eojpqpih.exe Ekndpa32.exe File opened for modification C:\Windows\SysWOW64\Ilihij32.exe Infhmmhi.exe File created C:\Windows\SysWOW64\Paficbda.dll Jcjffc32.exe File created C:\Windows\SysWOW64\Okgpfjbo.exe Ocphembl.exe File created C:\Windows\SysWOW64\Cialng32.exe Cgcoal32.exe File created C:\Windows\SysWOW64\Jqgkkj32.dll Fmffhi32.exe File created C:\Windows\SysWOW64\Ffcdlncp.exe Fcehpbdm.exe File created C:\Windows\SysWOW64\Bpfaqm32.dll Ghqqpd32.exe File created C:\Windows\SysWOW64\Qpfpde32.dll Qnlobhne.exe File created C:\Windows\SysWOW64\Naconeen.dll Bakgmgpe.exe File opened for modification C:\Windows\SysWOW64\Fpliec32.exe Fmnmih32.exe File created C:\Windows\SysWOW64\Idncdgai.exe Iapghlbe.exe File created C:\Windows\SysWOW64\Ohfgeo32.exe Opoocb32.exe File created C:\Windows\SysWOW64\Oehiod32.dll Aliejq32.exe File created C:\Windows\SysWOW64\Bmfpgbcf.dll Dgclpp32.exe File opened for modification C:\Windows\SysWOW64\Gjomlp32.exe Ghqqpd32.exe File opened for modification C:\Windows\SysWOW64\Okecak32.exe Ohfgeo32.exe File created C:\Windows\SysWOW64\Bmhncg32.exe Bkjbgk32.exe File created C:\Windows\SysWOW64\Jnpioe32.dll Fefdhj32.exe File created C:\Windows\SysWOW64\Ihefjg32.exe Idjjih32.exe File opened for modification C:\Windows\SysWOW64\Ikfokb32.exe Igjckcbo.exe File created C:\Windows\SysWOW64\Ciekbj32.dll Infhmmhi.exe File created C:\Windows\SysWOW64\Adbbfabn.dll Jkcoee32.exe File opened for modification C:\Windows\SysWOW64\Ohdkop32.exe Ndhooaog.exe File created C:\Windows\SysWOW64\Hfhjfp32.exe Hbmnfajm.exe File created C:\Windows\SysWOW64\Micnbe32.exe Mhbakmgg.exe File created C:\Windows\SysWOW64\Jmjibdoi.dll Poplqm32.exe File created C:\Windows\SysWOW64\Joeaefka.dll Pobhfl32.exe File created C:\Windows\SysWOW64\Dcjleq32.exe Ddgljced.exe File created C:\Windows\SysWOW64\Jccjek32.dll Gmipmlan.exe File created C:\Windows\SysWOW64\Meieho32.dll Hepdml32.exe File opened for modification C:\Windows\SysWOW64\Kaagnp32.exe Kldofi32.exe File created C:\Windows\SysWOW64\Dhknigfq.exe Djhnmj32.exe File opened for modification C:\Windows\SysWOW64\Ojlmgg32.exe Ognakk32.exe File created C:\Windows\SysWOW64\Pbaebh32.exe Pobhfl32.exe File created C:\Windows\SysWOW64\Ioebelhe.dll Doqmjaac.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4264 4236 WerFault.exe 358 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelkme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclejclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghndjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiedc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgclpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojpqpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbdif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idqpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okecak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcigjolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdhidqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnmda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikine32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjckcbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naeigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqoqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkoocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipmlan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opoocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcnmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnbjfjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqfeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhcgjkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boadlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmffhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghekobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d0a96a7c49ee0a4908c4eca17d70360N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfdjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhlaaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpledf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micnbe32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppiddie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgaikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opoocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onelbfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkeppngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmil32.dll" Dcjleq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocphembl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedgnqao.dll" Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edghighp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcclni32.dll" Ognakk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apcngn32.dll" Dppiddie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojjdb32.dll" Bfliqmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edghoc32.dll" Acldpojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklkkoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoclac32.dll" Ippkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didpkp32.dll" Ghcmedmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojlmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgeihnn.dll" Ekcmkamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debmplbf.dll" Gjomlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedcdcoc.dll" Onelbfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efoobkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikcbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlngdfab.dll" Iebmaoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlomqkj.dll" Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbkgfki.dll" Dbaflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcbii32.dll" Hbokkagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhaeje32.dll" Hhnpih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpqoofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfgkleh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najbbepc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgpfjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abejlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinack32.dll" Kaagnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmoone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofhmfe32.dll" Bmhncg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmfgd32.dll" Hiichkog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbcdfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkoikcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknmplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdkgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkiikm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipbidbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnbepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbcfc32.dll" Hbcdfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojeka32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 780 2840 4d0a96a7c49ee0a4908c4eca17d70360N.exe 29 PID 2840 wrote to memory of 780 2840 4d0a96a7c49ee0a4908c4eca17d70360N.exe 29 PID 2840 wrote to memory of 780 2840 4d0a96a7c49ee0a4908c4eca17d70360N.exe 29 PID 2840 wrote to memory of 780 2840 4d0a96a7c49ee0a4908c4eca17d70360N.exe 29 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 780 wrote to memory of 2264 780 Kkpekjie.exe 30 PID 2264 wrote to memory of 2760 2264 Kbjmhd32.exe 31 PID 2264 wrote to memory of 2760 2264 Kbjmhd32.exe 31 PID 2264 wrote to memory of 2760 2264 Kbjmhd32.exe 31 PID 2264 wrote to memory of 2760 2264 Kbjmhd32.exe 31 PID 2760 wrote to memory of 268 2760 Kicednho.exe 32 PID 2760 wrote to memory of 268 2760 Kicednho.exe 32 PID 2760 wrote to memory of 268 2760 Kicednho.exe 32 PID 2760 wrote to memory of 268 2760 Kicednho.exe 32 PID 268 wrote to memory of 2904 268 Kaojiqej.exe 33 PID 268 wrote to memory of 2904 268 Kaojiqej.exe 33 PID 268 wrote to memory of 2904 268 Kaojiqej.exe 33 PID 268 wrote to memory of 2904 268 Kaojiqej.exe 33 PID 2904 wrote to memory of 2564 2904 Kldofi32.exe 34 PID 2904 wrote to memory of 2564 2904 Kldofi32.exe 34 PID 2904 wrote to memory of 2564 2904 Kldofi32.exe 34 PID 2904 wrote to memory of 2564 2904 Kldofi32.exe 34 PID 2564 wrote to memory of 2616 2564 Kaagnp32.exe 35 PID 2564 wrote to memory of 2616 2564 Kaagnp32.exe 35 PID 2564 wrote to memory of 2616 2564 Kaagnp32.exe 35 PID 2564 wrote to memory of 2616 2564 Kaagnp32.exe 35 PID 2616 wrote to memory of 2816 2616 Kfnpgg32.exe 36 PID 2616 wrote to memory of 2816 2616 Kfnpgg32.exe 36 PID 2616 wrote to memory of 2816 2616 Kfnpgg32.exe 36 PID 2616 wrote to memory of 2816 2616 Kfnpgg32.exe 36 PID 2816 wrote to memory of 1572 2816 Lmhhcaik.exe 37 PID 2816 wrote to memory of 1572 2816 Lmhhcaik.exe 37 PID 2816 wrote to memory of 1572 2816 Lmhhcaik.exe 37 PID 2816 wrote to memory of 1572 2816 Lmhhcaik.exe 37 PID 1572 wrote to memory of 2104 1572 Ljlhme32.exe 38 PID 1572 wrote to memory of 2104 1572 Ljlhme32.exe 38 PID 1572 wrote to memory of 2104 1572 Ljlhme32.exe 38 PID 1572 wrote to memory of 2104 1572 Ljlhme32.exe 38 PID 2104 wrote to memory of 2652 2104 Lmjdia32.exe 39 PID 2104 wrote to memory of 2652 2104 Lmjdia32.exe 39 PID 2104 wrote to memory of 2652 2104 Lmjdia32.exe 39 PID 2104 wrote to memory of 2652 2104 Lmjdia32.exe 39 PID 2652 wrote to memory of 548 2652 Lpiqel32.exe 40 PID 2652 wrote to memory of 548 2652 Lpiqel32.exe 40 PID 2652 wrote to memory of 548 2652 Lpiqel32.exe 40 PID 2652 wrote to memory of 548 2652 Lpiqel32.exe 40 PID 548 wrote to memory of 376 548 Liaenblm.exe 41 PID 548 wrote to memory of 376 548 Liaenblm.exe 41 PID 548 wrote to memory of 376 548 Liaenblm.exe 41 PID 548 wrote to memory of 376 548 Liaenblm.exe 41 PID 376 wrote to memory of 1984 376 Lfeegfkf.exe 42 PID 376 wrote to memory of 1984 376 Lfeegfkf.exe 42 PID 376 wrote to memory of 1984 376 Lfeegfkf.exe 42 PID 376 wrote to memory of 1984 376 Lfeegfkf.exe 42 PID 1984 wrote to memory of 2356 1984 Licbca32.exe 43 PID 1984 wrote to memory of 2356 1984 Licbca32.exe 43 PID 1984 wrote to memory of 2356 1984 Licbca32.exe 43 PID 1984 wrote to memory of 2356 1984 Licbca32.exe 43 PID 2356 wrote to memory of 2448 2356 Lpmjplag.exe 44 PID 2356 wrote to memory of 2448 2356 Lpmjplag.exe 44 PID 2356 wrote to memory of 2448 2356 Lpmjplag.exe 44 PID 2356 wrote to memory of 2448 2356 Lpmjplag.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d0a96a7c49ee0a4908c4eca17d70360N.exe"C:\Users\Admin\AppData\Local\Temp\4d0a96a7c49ee0a4908c4eca17d70360N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Lmjdia32.exeC:\Windows\system32\Lmjdia32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe37⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe38⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe39⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe40⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe42⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe43⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe45⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe46⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe47⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe48⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe49⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe50⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe53⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe54⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe55⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe59⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe60⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe69⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe72⤵PID:1980
-
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe73⤵PID:2360
-
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe74⤵PID:736
-
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe75⤵PID:2876
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe76⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe77⤵PID:1076
-
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe78⤵PID:1536
-
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe79⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe81⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe82⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe83⤵PID:2132
-
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe85⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe86⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe87⤵PID:2748
-
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe89⤵PID:2276
-
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe90⤵
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe91⤵PID:2296
-
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe92⤵PID:2740
-
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe93⤵PID:2460
-
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe94⤵PID:2164
-
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe95⤵PID:1972
-
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe96⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe99⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe100⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe101⤵PID:2604
-
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe102⤵PID:3020
-
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe103⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe104⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe105⤵PID:3012
-
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe107⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe108⤵PID:2312
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe109⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:476 -
C:\Windows\SysWOW64\Aikine32.exeC:\Windows\system32\Aikine32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Aliejq32.exeC:\Windows\system32\Aliejq32.exe112⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe113⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe114⤵PID:2584
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe118⤵PID:2808
-
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe120⤵PID:1504
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe121⤵
- Modifies registry class
PID:1744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-